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Abstract 

Suppose  a  principal  in  a  cryptographic  protocol  creates  and  transmits  a  message 
containing  a  new  value  v,  later  receiving  v  back  in  a  different  cryptographic  con¬ 
text.  It  can  conclude  that  some  principal  possessing  the  relevant  key  has  received 
and  transformed  the  message  in  which  v  was  emitted.  In  some  circumstances,  this 
principal  must  be  a  regular  participant  of  the  protocol,  not  the  penetrator. 

An  inference  of  this  kind  is  an  authentieation  test.  We  introduce  two  main  kinds  of 
authentication  test.  An  outgoing  test  is  one  in  which  the  new  value  v  is  transmitted 
in  encrypted  form,  and  only  a  regular  participant  can  extract  it  from  that  form. 
An  incoming  test  is  one  in  which  v  is  received  back  in  encrypted  form,  and  only 
a  regular  participant  can  put  it  in  that  form.  We  combine  these  two  tests  with  a 
supplementary  idea,  the  unsolicited  test,  and  a  related  method  for  checking  that  keys 
remain  secret.  Together,  these  techniques  determine  what  authentication  properties 
are  achieved  by  a  wide  range  of  cryptographic  protocols. 

In  this  paper  we  introduce  authentication  tests  and  prove  their  soundness.  We 
illustrate  their  power  by  giving  new  and  straightforward  proofs  of  security  goals  for 
several  protocols.  We  also  illustrate  how  to  use  the  authentication  tests  as  a  heuristic 
for  finding  attacks  against  incorrect  protocols.  Finally,  we  suggest  a  protocol  design 
process. 

We  express  these  ideas  in  the  strand  space  formalism,  which  provides  a  convenient 
context  to  prove  them  correct. 

Key  words:  cryptographic  protocols,  authentication,  secrecy,  strand  spaces, 
bundles,  cryptographic  protocol  design 
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1  Introduction 


One  reason  why  cryptographic  protocol  analysis  is  hard  is  that  the  attacker 
has  so  many  choices.  He  may  apply  a  repertory  of  actions  in  any  order  to  any 
message  he  observes,  and  he  may  submit  the  results  in  place  of  any  legitimate 
message.  In  addition,  the  attacker  may  initiate  new  sessions  of  the  protocol,  or 
await  sessions  initiated  by  regular  participants  [7].  Consequently,  even  though 
cryptographic  protocols  are  simple  hnite  state  activities  in  the  absence  of  an 
attacker,  the  analysis  of  possible  attacks  is  not  necessarily  decidable;  indeed, 
even  if  the  protocols  are  restricted  so  that  the  problem  is  decidable,  it  may 
not  be  tractable  [3]. 

In  this  paper  we  use  the  strand  space  formalism  [26]  to  restrict  the  order 
in  which  the  penetrator  applies  the  operations  available  to  him  (Section  3). 
Anything  the  penetrator  can  do  at  all,  he  can  do  carrying  out  operations  in 
this  restricted  order.  There  are  two  ingredients  in  the  restriction,  a  normal 
form  lemma  (Section  3.2,  Proposition  5),  and  an  efficiency  condition  (Sec¬ 
tion  3.6,  Proposition  14).  The  normal  form  lemma  is  not  new  [5,  3],  although 
the  efficiency  condition  appears  to  be. 

The  main  novelty  in  this  paper  are  some  very  simple-to-apply  methods  for 
authentication  and  secrecy  results,  which  the  penetrator  restrictions  justify. 
An  important  consequence  of  the  restrictions  is  that,  for  certain  encrypted 
components  of  messages,  the  penetrator  cannot  take  any  significant  action. 
Those  components  may  be  discarded,  but  if  they  are  delivered  to  a  regular 
participant,  they  can  only  be  delivered  unaltered.  Only  the  regular  participants 
can  change  these  encrypted  components  in  the  way  demanded  by  the  protocol. 

Therefore  this  kind  of  component  may  be  regarded  as  an  authentication  test 
component:  if  the  contents  are  later  received  in  transformed  form,  then  only  a 
regular  participant,  not  the  penetrator,  can  have  transformed  them.  In  favor¬ 
able  circumstances,  it  can  only  be  one  regular  participant,  the  intended  one, 
who  has  thereby  been  authenticated. 

We  embody  these  ideas  in  three  authentication  results  (Section  4.2,  Authen¬ 
tication  Tests  1-3).  These  results  allow  us  to  establish  many  authentication 
results  without  any  consideration  of  the  dynamic  execution  of  protocols,  in¬ 
volving  the  activity  of  several  principals.  Instead,  it  suffices  to  consider  the 
forms  of  the  possible  behaviors  of  the  principals  independently.  We  use  the 
Needham-Schroeder-Lowe  protocol  [17,  13]  in  explaining  the  ideas.  In  Sec¬ 
tion  5,  we  illustrate  the  authentication  tests  by  proving  the  authentication 
properties  of  some  familiar  protocols  and  identifying  counter-examples  to  oth¬ 
ers.  The  protocols  we  consider  are  from  [19,  18,  27,  29].  It  is  routine  to  apply 

proofs)  appeared  as  [9]. 
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the  method  to  new  protocols,  whether  they  use  public  keys  or  shared  sym¬ 
metric  keys. 


However,  not  every  protocol  can  be  verified  using  these  methods.  In  particular, 
for  the  authentication  theorems  to  apply,  the  protocol  must  not  allow  the 
authentications  tests  to  be  proper  sub-messages  of  other  messages  manipulated 
by  the  regular  participants.  We  end  (Section  6)  with  a  design  process  leading 
to  protocols  that  not  only  avoid  this  sort  of  nesting,  but  also  concentrate  the 
crucial  parameters  to  be  authenticated  in  a  small  number  of  authentication 
test  components. 

The  authentication  tests  themselves  are  easy  to  apply,  but  the  proofs  justify¬ 
ing  them  are  more  complicated.  We  would  compare  the  authentication  tests 
to  the  interface  to  a  module;  the  implementation  internal  to  the  module  is 
complex,  but  the  interface  makes  it  easy  to  use  its  services  without  worrying 
about  the  internals.  For  some  purposes  it  would  be  helpful  to  enlarge  the  in¬ 
terface.  There  are  additional  services,  or  ways  of  drawing  conclusions  about 
authentication  protocols,  that  the  proof  methods  of  Sections  3  and  4  can  offer. 
For  instance,  one  addition  would  be  to  make  explicit  the  order  in  which  events 
have  occurred,  which  gives  a  convenient  way  to  reason  about  whether  a  key 
has  been  generated  recently.  An  enrichment  of  the  message  algebra  would  ex¬ 
plicitly  model  the  way  a  key  may  be  generated  by  hashing  other  values  (as  is 
used  e.g.  in  the  SSL  and  TLS  protocols  [6]).  However,  the  authentication  tests 
currently  exported  in  Section  4  already  apply  to  a  wide  range  of  protocols, 
and  give  a  highly  intuitive  explanation  for  why  they  are  right,  or  where  they 
go  wrong. 

The  authentication  tests,  and  some  extensions,  have  been  incorporated  [21] 
into  Athena  [[23]],  an  automated  system  for  protocol  analysis  based  on  the 
strand  space  model.  Athena  has  been  applied  to  large  numbers  of  candidate 
protocols  output  by  an  automated  protocol  generator.  In  one  two  hour  run, 
11,000  candidates  were  filtered,  yielding  five  successful  protocols.  Since  the 
generator  itself  prunes  protocols  to  avoid  obvious  flaws,  this  is  a  remarkable 
level  of  performance. 

The  proof  methods  of  Section  3  can  be  used  for  other  purposes  also;  in  [10] 
we  use  them  to  study  when  different  protocols  may  be  safely  combined. 


1.1  Strand  Spaces 

We  very  briefly  summarize  the  ideas  behind  the  strand  space  model  [26];  see 
also  Appendix  A. 

A  is  the  set  of  messages  that  can  be  sent  between  principals.  We  call  elements 
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of  A  terms.  A  is  freely  generated  from  two  disjoint  sets,  T  (representing  texts 
such  as  nonces  or  names)  and  K  (representing  keys)  by  means  of  concatenation 
and  encryption.  The  concatenation  of  terms  g  and  h  is  denoted  g  h,  and  the 
encryption  of  h  using  key  K  is  denoted  {|/i|}x-  (See  Appendix  A. 3.) 

For  example,  in  the  Needham-Schroeder  protocol  [17],  the  initiator  A  sends 
a  term  of  the  form  ^NaA^^B  start  an  exchange  intended  for  B.  This  is 
a  ciphertext  created  using  i?’s  public  key  Kb]  the  plaintext  is  the  result  of 
concatenating  a  nonce  (random  bitstring)  Na  and  A’s  name. 

A  term  t  is  a  subterm  of  another  term  F,  written  t  C  F,  if  starting  with  t  we 
can  reach  t'  by  repeatedly  concatenating  with  arbitrary  terms  and  encrypting 
with  arbitrary  keys.  Hence,  K  ^  {|t[}-ic,  except  in  case  K  \Z  t.  The  subterms 
of  t  are  the  values  that  are  uttered  when  t  is  sent;  in  ^t^K,  K  is  not  uttered 
but  used.  (See  Definition  21.) 

For  instance,  the  subterms  of  t^NaA^^B  ^a,  A,  the  concatenated  message 
JVaA,  and  ^NaA'^KB  itself.  The  key  Kb  is  not  part  of  what  is  uttered;  it  just 
contributes  to  how  the  message  is  constructed. 

A  strand  is  a  sequence  of  message  transmissions  and  receptions,  where  trans¬ 
mission  of  a  term  t  is  represented  as  +t  and  reception  of  term  t  is  represented 
as  —t.  A  strand  element  is  called  a  node.  If  s  is  a  strand,  (s,  i)  is  the  node 
on  s.  The  relation  n  ^  n'  holds  between  nodes  n  and  n'  if  n  =  (s,  i)  and 
n'  =  (s,  i  -f  1).  Hence,  n  n'  means  that  n  =  (s,  i)  and  n'  =  (s,  j)  for  some 
j  >  i.  The  relation  n  ^  n'  represents  inter-strand  communication;  it  means 
that  term(n)  =  +t  and  node  term(n')  =  —t. 

Continuing  with  the  Needham-Schroeder  protocol  as  our  pedagogical  illustra¬ 
tion,  an  initiator  strand  offers  a  sequence  of  events  of  the  form 

In  this  strand  the  initiator  A  sends  a  term  ^NaA^XB  intended  for  the 
responder  B,  and  expects  to  receive  back  a  term  of  the  form  {]  Ni,^Kaj  after 
which  it  will  send  ^Nij^Kb-  The  reception  is  {si,  2)  and  the  hnal  transmission  is 
(sj,  3).  The  responder  strands  offer  a  sequence  of  events  of  the  complementary 
form 

When  the  data  values  Na,  A,  . . . ,  match  between  an  initiator  strand  Si  and 
a  responder  strand  Sr,  then  we  have  (sj,  1)  — 1)  and  {sr,2) 

An  initiator  or  responder  strand  has  four  parameters  (or  degrees  of  freedom), 
namely  the  two  nonces  Na  and  Nf,  and  the  two  names  A  and  B.  For  this 
illustration,  we  regard  the  public  keys  Ka  and  to  be  reliably  determined 
from  A  and  B,  possibly  by  some  public  key  infrastructure.  When  we  write 
Si  G  NSInit[A,  B,Na,  A'"?,]  in  this  illustration,  we  will  mean  that  s*  is  an  initiator 
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Fig.  1.  A  Bundle:  Intended  Run  of  Needham-Schroeder 

strand  using  the  particular  values  shown  as  parameters,  and  similarly  for  Sr  G 
NSResp[A,  B,  Na,  Nh].  The  principal  active  in  NSInit[A,  B,  Na,  iV^]  as  initiator 
is  A,  while  the  principal  active  in  NSResp[A,  R,  iV^,  iV^]  as  responder  is  B. 

A  strand  space  S  is  a  set  of  strands.  S  typically  will  not  contain  strands  of 
every  possible  kind  NSInit[A,  R,  iVa,  iV;,]  and  NSResp[A,  R,  iVa,  iVf,],  modeling 
the  fact  that  nonces  are  chosen  from  a  large  set  and  are  used  very  sparsely, 
even  over  substantial  periods.  The  two  relations  ^  and  — jointly  impose  a 
graph  structure  on  the  nodes  of  S.  The  vertices  of  this  graph  are  the  nodes, 
and  the  edges  are  the  union  of  ^  and  — *>. 

We  say  that  a  term  t  originates  at  a  node  n  =  {s,  i)  if  the  sign  of  n  is  positive; 
t  \Z  term(n);  and  t  term((s,i'))  for  every  i!  <  i.  Thus,  n  represents  a 
message  transmission  that  includes  t,  and  it  is  the  first  node  in  s  including 
t.  For  instance,  if  s*  G  NSInit[A,  R,  W, then  W  and  A  both  originate  at 
{si,l).  If  Sr  G  NSResp[A,  R,  W, then  Nf,  originates  at  (sr,2),  assuming 
that  Nb  is  distinct  from  Na  and  A,  which  have  already  been  received  at  {sr,  1). 

If  a  value  originates  on  only  one  node  in  the  strand  space,  we  call  it  uniquely 
originating]  uniquely  originating  values  are  desirable  as  nonces  and  session 
keys.  In  a  particular  strand  space,  a  nonce  Na  may  originate  uniquely  on  (s*,  1), 
in  which  case  there  is  at  most  one  strand  in  NSInit[A,  R,  W,  -^b]-  A  is  unlikely 
to  originate  uniquely,  because  the  same  name  will  be  used  in  many  runs  with 
many  partners.  When  we  assume  that  a  value  like  W  originates  uniquely  in 
some  strand  space  S,  we  are  effectively  assuming  that  S  is  not  unrealistically 
large,  in  a  particular  sense,  namely  so  large  as  to  contain  independent  events 
in  which  the  same  value  is  repeatedly  chosen  at  random  from  a  large  set. 

A  bundle  is  a  causally  well-founded  collection  of  nodes  and  arrows  of  both 
kinds.  In  a  bundle,  when  a  strand  receives  a  message  m,  there  is  a  unique 
node  transmitting  m  from  which  the  message  was  immediately  received.  By 
contrast,  when  a  strand  transmits  a  message  m,  many  strands  (or  none)  may 
immediately  receive  m.  (See  Dehnition  19.)  The  height  of  a  strand  in  a  bundle 
is  the  number  of  nodes  on  the  strand  that  are  in  the  bundle.  Authentication 
theorems  generally  assert  that  a  strand  has  at  least  a  given  height  in  some 
bundle,  meaning  that  the  principal  must  have  engaged  in  at  least  that  many 
steps  of  its  run.  Two  illustrative  bundles  are  shown  in  Figures  1-2.  In  Fig- 
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Fig.  2.  A  Bundle:  Penetrated  Run  of  Needham-Schroeder 

ure  1,  initiator  and  responder  match  strands  in  the  expected  way,  while  in 
Figure  2  a  penetrator  manipulates  B  into  believing  that  A  is  having  a  ses¬ 
sion  with  B,  whereas  in  fact  A  intends  to  have  a  session  with  P  [12,  13]. 
More  formally,  the  strand  on  the  left  side  is  in  the  set  NSInit[A,  P,  N„  iV;,],  not 
mimt[A,B,Na,N,]. 

Given  any  bundle  (t,  there  is  a  natural  partial  ordering  on  the  nodes  of  (t, 
which  we  refer  to  as  p£,  according  to  which  ni  n2  if  there  is  a  path 
from  rii  to  n2  using  zero  or  more  arrows  of  either  kind  (Dehnition  20).  This 
relation  expresses  the  fact  that  rii  causally  contributes  to  n2  occurring  in  €. 
In  Figures  1  and  2,  the  relation  happens  to  be  a  linear  ordering,  but  this  is 
not  true  in  Figure  3,  where  neither  K  node  is  accessible  from  the  other. 

A  strand  represents  the  local  view  of  a  participant  in  a  run  of  a  protocol.  For  a 
legitimate  participant,  it  represents  the  messages  that  participant  would  send 
or  receive  as  part  of  one  particular  run  of  his  side  of  the  protocol.  We  call  a 
strand  representing  a  legitimate  participant  a  regular  strand.  For  the  penetra¬ 
tor,  the  strand  represents  an  atomic  deduction.  More  complex  actions  can  be 
formed  by  connecting  several  penetrator  strands.  While  regular  principals  are 
represented  only  by  what  they  say  and  hear,  the  behavior  of  the  penetrator 
is  represented  more  explicitly,  because  the  values  he  deduces  are  treated  as  if 
they  had  been  said  publicly. 

We  partition  penetrator  strands  according  to  the  operations  they  exemplify. 
E-strands  encrypt  when  given  a  key  and  a  plaintext;  D-strands  decrypt  when 
given  a  decryption  key  and  matching  ciphertext;  C-strands  and  S-strands  con¬ 
catenate  and  separate  terms,  respectively;  K-strands  emit  keys  from  a  set  of 
known  keys;  and  M-strands  emit  known  atomic  texts  or  guesses.  (See  Dehni¬ 
tion  23.) 

As  an  example,  the  compound  behavior  of  the  penetrator  P,  shown  at  the 
center  top  in  Figure  2,  can  be  realized  using  several  of  our  official  penetrator 
strands  as  shown  in  Figure  3,  in  which  nodes  tti  and  TTe  represent  the  nodes 
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Fig.  3.  Penetrator  Strands  for  Needham-Schroeder  Attack 

shared  with  Figure  2.  This  hgure  should  be  regarded  as  a  part  of  Figure  2, 
shown  separately  simply  to  reduce  its  complexity.  Some  nodes  have  been  la¬ 
belled  for  later  use. 

In  Figure  3,  the  penetrator  emits  a  private  key  Kp^  that  is  known  to  himself, 
and  uses  the  result  on  a  D  strand  to  decrypt  the  incoming  message.  He  emits 
a  public  key  Kp  known  (presumably)  to  everyone,  using  it  in  an  encryption 
strand  to  produce  the  term  ^NaA^Xg,  needed  to  start  the  process  of  duping 
B.  The  other  penetrator  action  shown  in  Figure  2  may  be  expanded  in  a 
similar  manner. 


1.2  New  Components 


When  a  node  transmits  or  receives  a  concatenated  message,  the  penetrator — 
using  C-strands  and  S-strands — has  full  power  over  how  the  parts  are  concate¬ 
nated  together.  Thus,  the  important  units  for  protocol  correctness  are  what 
we  call  the  components.  A  term  to  is  a  component  of  t  if  to  T  t,  to  is  not  a 
concatenated  term,  and  every  ti  ^  to  such  that  to  T  ti  C  t  is  a  concatenated 
term.  Components  are  either  atomic  values  or  encryptions.  (See  Definition  22.) 
For  instance,  the  term  l^NaA^Xg  consists  of  a  single  component,  while  NaA 
has  two  components,  the  atomic  values  Na  and  A.  We  say  t  is  a  component 
of  a  node  n  if  t  is  a  component  of  term(n). 

A  term  t  is  new  at  n  =  {s,i)  if  t  is  a  component  of  term(n),  but  t  is  not  a 
component  of  node  {s,j)  for  every  j  <  i  (Dehnition  22).  A  component  is  new 
even  if  it  has  occurred  earlier  as  a  nested  subterm  of  some  larger  component 
•  •  •  H  ■  ■  ■  t  ■  ■  ■  ■  ■  ■ .  For  instance,  {|  A^^^  A'^Xp  is  new  on  the  top  left  node  of 

Figure  2,  and  Na  is  new  on  the  last  node  of  the  D  strand  in  Figure  3. 
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When  a  component  occurs  new  on  a  regular  node,  but  was  a  subterm  of 
some  previous  node,  then  the  principal  executing  that  strand  has  done  some 
cryptographic  work  to  extract  it  as  a  new  component.  The  idea  of  emphasizing 
components  and  the  regular  nodes  at  which  they  occur  new  is  due  to  [23]. 


2  Bundle  Equivalences  and  Graph  Operations 


2.1  Bundle  Equivalence 


Definition  1  Bundles  (t,  on  a  strand  space  S  are  equivalent  iff  they  have 
the  same  regular  nodes. 

A  set  (j)  of  bundles  is  invariant  under  bundle  equivalences  if  whenever  bundles 
€  and  €'  are  equivalent,  €  E  f  ^  E  f. 

Agreement  and  non-injective  agreement  properties  [15,  26,  28]  are  invariant 
under  bundle  equivalences  in  this  sense.  For  instance,  a  non-injective  agree¬ 
ment  property,  expressed  in  our  framework,  asserts  that  whenever  a  bun¬ 
dle  contains  a  protocol  strand  (for  instance,  a  responder  strand)  of  a  certain 
height,  then  it  also  contains  a  matching  strand  (for  instance,  an  initiator  strand 
using  the  same  data  values)  of  suitable  height.  As  such,  it  always  concerns 
what  nodes,  representing  regular  activity  of  the  protocol,  must  be  present  in 
bundles.  Penetrator  activity  may  or  may  not  be  present. 

Secrecy  properties  may  also  be  expressed  in  a  form  that  is  invariant  under 
bundle  equivalences.  We  say  (temporarily)  that  a  value  t  is  uncompromised  in 
(t  if  for  every  (t  equivalent  to  (t,  there  is  no  node  n  E  ^  such  that  term(n)  =  t. 
In  this  form,  a  value  is  uncompromised  if  the  penetrator  cannot  extract  it  in 
explicit  form  without  further  cooperation  of  regular  strands.  When  stated 
in  this  form,  the  assertion  that  a  value  is  uncompromised  is  invariant  under 
bundle  equivalences. 


2.2  Graph  Operations 


A  graph  operation  on  a  bundle  consists  of  a  sequence  of  one  or  more  of  the 
following: 

(1)  Deletion  of  any  set  of  penetrator  strands  from  the  bundle,  with  the  inci¬ 
dent  — edges. 

(2)  Addition  of  edges  n  ^  n'  with  term(n)  =  +a,  term(n')  =  —a. 

(3)  Deletion  of  edges  n  n' . 


A  graph  operation  yields  a  new  graph  (£'.  However,  the  graph  (t'  is  not  neces¬ 
sarily  a  bundle.  For  instance,  if  n  — n'  is  an  edge  of  with  n  a  penetrator 
node,  removal  of  the  strand  that  contains  n  is  a  graph  operation  which  causes 
the  resulting  graph  to  have  a  negative  node  with  no  in-arrow. 

A  lonely  node  in  a  strand  space  graph  is  a  node  with  no  incoming  edge  (if  the 
node  is  negative)  or  no  outgoing  edge  (if  the  node  is  positive).  Lonely  negative 
nodes  are  ruled  out  by  the  dehnition  of  bundle,  whereas  lonely  positive  nodes 
are  allowed.  Similarly,  a  node  in  a  strand  space  graph  is  gregarious  if  it  has 
more  than  one  edge  leaving  or  entering  it.  Gregarious  negative  nodes  are  ruled 
out,  whereas  gregarious  positive  ones  are  allowed.  In  applying  graph  operations 
on  bundles,  we  must  be  careful  not  to  create  lonely  or  gregarious  negative 
nodes. 

Proposition  1  Suppose  €  is  a  bundle  and  <t'  is  obtained  from  €  by  a  graph 
operation  such  that 

(1)  For  any  edge  n'  of  €'  there  is  a  seguenee  of  nodes  and  bundle  edges 
n  =  ni  !—>•••■  nfc  =  n'  in  <t. 

(2)  <t'  has  no  lonely  or  gregarious  negative  nodes. 

Then  €'  is  a  bundle.  Moreover,  €'  is  eguivalent  to  and  the  ordering  on  <t'  is 
a  restriction  of  the  ordering  on  <t. 

Proof.  The  nodes  in  any  connected  sequence  in  (S'  is  a  subsequence  of  the 
nodes  of  a  connected  sequence  in  (S.  To  show  (S  is  acyclic,  notice  that  by 
assumption  1,  for  any  non-trivial  cycle  in  (S'  there  is  a  non-trivial  cycle  in  (S. 
Thus  (S'  is  a  bundle.  It  is  equivalent  to  (S  because  a  graph  operation  modihes 
only  the  set  of  penetrator  nodes  included  in  the  bundle.  □ 


3  Redundancies  and  Paths 


We  turn  our  attention  to  the  portions  of  a  bundle  that  contain  penetrator 
activity,  and  the  ways  that  we  can  simplify  those  portions. 


3.1  Redundancies 


Definition  2  A  redundancy  in  a  bundle  (S  is  any  labeled  subgraph  of  (S  that 
has  one  of  the  forms  given  in  Figures  f-5. 

Each  redundancy  contains  nodes  on  two  penetrator  strands,  indicated  by  the 
symbol  •,  and  a  number  of  “fringe”  nodes  indicated  by  the  symbol  o.  The  nodes 
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Fig.  4.  E-D  Redundancy 
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Fig.  5.  C-S  Redundancy 

are  connected  by  inward  edges  o  ^  outward  edges  •  — o  and  internal  edges 
•  ^  The  fringe  nodes  o  may  be  either  regular  nodes  or  penetrator  nodes. 

The  presence  of  redundancies  in  a  bundle  makes  it  more  difficult  to  see  what 
the  penetrator  can  actually  do,  and  in  particular  whether  any  attacks  can 
be  crafted  by  a  circuitous  combination  of  strands.  The  purpose  of  this  sec¬ 
tion  is  to  show  redundancies  can  be  eliminated  without  any  weakening  of  the 
penetrator’s  capability. 

Proposition  2  Given  any  bundle  there  exists  an  equivalent  bundle  €'  with 
no  redundancies.  Moreover,  the  penetrator  nodes  of  €'  is  a  subset  of  the  pen¬ 
etrator  nodes  of  €  and  the  ordering  -<£/  is  a  restriction  of  the  ordering  -<£.  If 
there  exists  n  E  €  such  that  term{n)  =  t,  then  there  exists  n'  G  such  that 
termin')  =  t. 

Proof.  Consider  each  one  of  the  redundancy  types  shown  in  Figures  4-5. 
Each  one  of  these  redundancies  is  a  subgraph  of  consisting  of  two  penetrator 
strands  sl  and  sr,  some  arrows  into  the  subgraph  and  some  arrows  out  of  the 
subgraph.  Notice  that  by  suitably  replicating  the  strand  sr  in  each  one  of  the 
redundancy  cases,  we  can  assume  the  positive  nodes  of  sr  are  not  gregarious. 
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Fig.  6.  E-D  Redundancy  Elimination 
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Fig.  7.  C-S  Redundancy  Elimination 


that  is,  have  exactly  one  outgoing  arrow.  For  each  such  subgraph, 

(1)  Add  the  edges  indicated  by  the  dotted  lines  as  shown  in  hgures  6-7.  In 

the  case  of  C-S  elimination,  two  new  edges  are  added;  in  the  case  of 
E-D  elimination  only  one  new  edge  is  added.  For  each  such  new  edge 
n  — >  n',  there  is  clearly  a  path  n  m  !—>■■■■  n*,  =  n'  in  (t.  Note  that 

the  addition  of  this  edge  creates  some  gregarious  positive  and  negative 
nodes.  In  the  next  step  we  will  remove  the  redundant  edges  leading  to 
the  gregarious  negative  nodes. 

(2)  Delete  the  right  penetrator  strand  s^.  As  a  result  of  removing  those 
edges  m  ^  n'  going  out  of  sr  are  removed  as  well.  In  step  1,  we  added  an 
arrow  into  n'  so  that  removal  of  m  — n'  does  not  leave  us  with  a  lonely 
negative  node. 

(3)  As  a  result  of  the  previous  step,  some  positive  nodes  may  have  no  outgoing 
arrows.  These  are  shown  by  ^  in  the  hgure.  However,  the  presence  of 
lonely  positive  nodes  does  not  violate  the  bundle  property  so  no  further 
action  is  necessary  to  deal  with  these. 

Note  that  the  graph  operation  above  satisfies  the  conditions  of  Proposition  1. 
Hence,  the  resulting  graph  is  bundle  equivalent  to  (t,  and  its  ordering  is  a 
restriction  of  the  ordering  of  (t.  Note  also  that  for  each  of  the  deleted  nodes  on 
Sr,  there  is  another  node  with  the  same  term  that  does  not  he  on  sr.  □ 
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3.2  Penetrator  Paths  and  Normal  Bundles 


m  n  means  that  m,  n  are  nodes  on  the  same  strand  with  n  occuring  after 
m  (Dehnition  18,  Clause  4).  The  notation  m  i — >■  n  means: 

•  either  m  n  with  term(m)  negative  and  term(n)  positive,  or  else 

•  m  ^  n. 

A  path  p  through  €  is  any  hnite  sequence  of  nodes  and  edges  ni  \ — >•  n2  ' — >■ 
■  ■  ■  I — >  Uk-  Clearly,  n  -<£  n'  whenever  there  is  a  path  n  =  ni  i — >■  n2  ' — >■ 

•  •  •  I — >•  Uk  =  n' .  We  assume  all  paths  begin  on  a  positive  node,  and  end  on  a 
negative  node. 

We  refer  to  the  Ah  node  of  the  path  p  as  p*.  The  length  of  p  will  be  \p\,  and 
we  will  write  i{p)  to  mean  p\p\,  i.e.  the  last  node  in  p. 

A  penetrator  path  is  one  in  which  all  nodes  other  than  possibly  the  hrst  or 
the  last  node  are  penetrator  nodes.  As  an  example  of  a  penetrator  path,  in 
which  the  first  and  last  nodes  are  in  fact  regular,  consider  again  the  partial 
bundle  shown  in  Figure  3.  The  path  tt  = 

TTi  ^  712  TTs  ^  7r4  TTs  ^  TIq 

is  a  path  that  traverses  penetrator  nodes,  connecting  A’s  hrst  transmission 
l^NaA^Kp  to  BA  hrst  reception  contrast  to  tt,  the  path  tjj  = 

Tpl  %l)2  TTs  ^  TTe 

starts  on  a  penetrator  node  and  ends  on  a  regular  node.  Observe  that  by  our 
conventions,  '^3  and  '^4  are  well-dehned  (and  equal  to  tts  and  TTe  respectively). 

In  a  number  of  examples  in  the  coming  pages,  we  will  use  tt  and  ip  as  constants 
denoting  these  two  particular  paths,  while  p,  by  contrast,  will  be  used  as  a 
variable  ranging  over  paths  in  general. 

Definition  3  Given  a  path  p,  one  edge  immediately  preeedes  another 
edge  in  p  iff  they  are  separated  in  p  by  a  single  — >  edge. 

For  instance,  712  tts  immediately  precedes  7r4  tts  in  tt. 

Consider  a  ^"'■-edge  between  penetrator  nodes.  There  are  four  penetrator 
strand  types  with  a  negative  node  followed  by  a  positive  node,  namely  E,  D, 
C,  and  S  strands. 

Definition  4  A  =^^-edge  is  constructive  if  it  is  part  of  a  E  or  C  strand.  It  is 
destructive  if  it  is  part  of  a  D  or  if  it  is  part  of  a  S  strand. 
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A  penetrator  node  n  is  initial  if  it  is  a  K  or  M  node. 

Any  penetrator  path  that  begins  at  a  regular  node  contains  only  construc¬ 
tive  and  destructive  =»’''-edges,  because  initial  nodes  can  occur  only  at  the 
beginning  of  a  path. 

Proposition  3  In  a  bundle,  a  construetive  edge  immediately  followed  by  a 
destruetive  edge  has  one  of  the  following  two  forms: 

(1)  Part  of  a  Eh^x  immediately  followed  by  part  of  a  Dh,K  strand  for  some 

h,K  ’ 

(2)  Part  of  a  Cg^h  immediately  followed  by  part  of  a  Sg^h  strand  for  some  g,  h. 

Proof.  This  follows  immediately  from  freeness  of  the  message  algebra.  □ 

Proposition  4  If  the  bundle  has  no  redundaneies  of  type  C-S  and  E-D,  then 
for  any  penetrator  path  of  €,  every  destructive  edge  precedes  every  constructive 
edge. 

Proof.  If  some  constructive  edge  precedes  a  destructive  one,  then  some  con¬ 
structive  edge  immediately  precedes  a  destructive  one.  However,  if  the  bundle 
has  no  redundancies,  then  by  Proposition  3,  a  constructive  edge  cannot  im¬ 
mediately  precede  a  destructive  one.  □ 

Since  the  property  just  introduced  is  very  important,  we  give  it  a  name,  stress¬ 
ing  the  analogy  with  Prawitz’s  notion  of  normal  derivation  [22]: 

Definition  5  A  bundle  is  normal  if,  for  any  penetrator  path  of  €,  every 
destructive  edge  precedes  every  constructive  edge. 

[5]  first  observed  the  analogy  between  penetrator  activities  and  natural  de¬ 
duction  inferences.  By  Propositions  2  and  4,  we  may  infer: 

Proposition  5  (Penetrator  Normal  Form  Lemma)  For  any  bundle 
there  exists  an  eguivalent  normal  bundle  <t' . 

Moreover,  the  penetrator  nodes  of  €'  form  a  subset  of  the  penetrator  nodes  of 
€  and  the  ordering  is  a  restriction  of  the  ordering  If  there  exists  n  G  € 
such  that  term{n)  =  t,  then  there  exists  n'  G  <t'  such  that  termin')  =  t. 


3.3  Rising  and  Falling  Paths 


Definition  6  A  penetrator  path  is  falling  if  for  all  adjacent  nodes  n  \ — >  n' 
on  the  path  termin')  \Z  termin). 
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Fig.  8.  Entering  a  D  strand  through  a  key  edge 
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Fig.  9.  Entering  a  E  strand  through  a  key  edge 

A  penetrator  path  is  rising  if  for  all  adjacent  nodes  n  i — >  n'  on  the  path 
termin)  C  termin'). 

The  path  tt  from  Figure  3  contains  a  falling  subpath  tti  i — >  •  •  •  i — >  714  and 
a  rising  subpath  tts  i — >  •  •  •  1 — >•  tts.  The  transmission  edge  tts  — 774  may 
be  associated  with  either  subpath,  or  regarded  as  a  bridge  between  the  two 
subpaths. 

A  path  containing  only  destructive  edges  may  not  be  falling,  since  a  destructive 
path  may  traverse  a  decryption  strand  entering  through  the  key  transmission 
edge  (Figure  8).  Call  the  edge  labeled  K~^  in  Figure  8  a  D-key  edge.  The 
other  incoming  edge  into  a  D  strand  is  a  D-cyphertext  edge. 

In  a  symmetrical  way,  a  constructive  path  may  traverse  an  encryption  strand 
entering  through  the  key  transmission  edge  (Figure  9).  Call  the  edge  labeled 
K  in  Figure  9  an  E-key  edge.  The  other  incoming  edge  into  an  E  strand  is  an 
E-plaintext  edge.  The  path  tt  from  Figure  3  traverses  no  key  edges,  while  path 
f)  traverses  an  E-key  edge. 

For  a  constructive  path,  we  are  entitled  to  a  stronger  conclusion.  If  p  is  any 
constructive  path,  then  p  can  traverse  a  E-key  edge  only  once,  along  the  edge 
Pi  — ^  P2,  and  only  if  term(pi)  G  K.  After  that,  later  nodes  must  have  a 
compound  term,  not  an  atomic  term  such  as  a  key. 

Proposition  6  A  destructive  path  that  enters  decryption  strands  only  through 
D-cyphertext  edges  is  falling. 

A  constructive  path  that  enters  encryption  strands  only  through  E-plaintext 
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edges  is  rising,  and  this  is  the  ease  for  any  construetive  p  sueh  that  term{pi)  ^ 

K. 


Moreover,  the  sequence  of  penetrator  strands  traversed  on  a  falling  path  is 
constrained  by  the  structure  of  term(pi).  We  use  the  relation  to  t,  which 
means  that  to  occurs  somewhere  in  t  such  that  every  surrounding  encryption 
uses  a  key  K  &  ^  (Dehnition  22).  Recall  that  i{p)  is  the  last  node  on  the  path 
p,  i.e.  p|p|. 

Proposition  7  (1)  Suppose  that  p  is  a  falling  penetrator  path;  suppose  pi  is 
a  negative  penetrator  node;  and  suppose  1  <  i  <  \p\.  Then  term{pi)  is 
either  an  encryption  or  a  concatenation,  and: 

(a)  If  term{pi)  =  Wk,  then  Pi  lies  on  a  D-strand,  and  term{pi+i)  =  h; 
and 

(b)  If  term{pi)  =  gh,  then  pi  lies  on  a  S-strand,  and  either  term{pi+i)  = 
g  or  terni{pi^i)  =  h. 

(2)  If  Pi  is  a  positive  node  with  1  <i  <  \p\,  then  term{pi)  =  term{pi+i). 

(3)  Suppose  p  is  a  falling  penetrator  path,  and  suppose  that  every  D-strand  s 
that  p  traverses  has  key  edge  K~^ ,  for  some  K  E  Then  term{i{p))  \Zsi 
term{pi). 


Proof.  The  assertion  for  a  positive  node  Pi  is  immediate  from  the  dehnition 
of  paths.  So  consider  a  negative  node  pi. 

Since  i  <  \p\,  there  is  a  node  on  this  penetrator  path,  so  pi  is  a  penetrator 
node.  The  strand  on  which  pi  lies  is  neither  a  K-strand  nor  an  M-strand,  as 
these  lack  negative  nodes.  It  is  neither  a  C-strand  nor  an  E-strand  because 
p  is  a  falling  path.  Hence  only  D-strands  and  S-strands  remain,  and  the  rest 
follows  from  the  freeness  of  the  message  algebra  A. 

To  see  that  term(f'(p))  term(pi)  when  there  exists  a  falling  path  travers¬ 
ing  only  D-strands  with  decryption  keys  in  consider  the  strands  in  p  in 
reverse  order  starting  at  I{p)  with  term(f'(p)).  For  each  S-strand,  perform  a 
concatenation  with  the  term  on  the  other  positive  node  of  that  strand  (i.e.  the 
positive  node  not  belonging  to  p).  For  each  D-strand,  perform  an  encryption 
with  the  inverse  of  the  decryption  key  on  that  strand.  The  resulting  term  is 
term(pi).  □ 

Hence,  as  we  traverse  a  falling  penetrator  path,  we  take  successive  subterms  of 
the  term  at  the  start,  with  each  successive  strand  determined  by  the  topmost 
operator  of  the  current  term.  Observe  also  that  if  term(£(p))  =  K,  then  there 
must  be  some  i  with  1  <  i  <  |p|  and  term(pj)  a  component  of  pp,  simply 
proceed  along  the  path  past  all  (contiguous)  S-strands;  if  this  is  I{p)  then  K 
is  the  component,  while  otherwise  it  is  some  to  with  K  \Z  to¬ 
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Fig.  11.  Exit  Bridge 

Symmetrically,  the  sequence  of  penetrator  strands  traversed  on  a  rising  path 
is  constrained  by  the  structure  of  term(£(p)),  although  we  will  not  need  this 
fact. 

One  curlicne  is  useful.  A  bundle  may  contain  a  penetrator  D-strand  s  in  which 
a  key  K  is  used  to  decrypt  HA'Hx-i,  thereby  obtaining  K.  Clearly,  we  may 
use  a  graph  operation  to  splice  s  ont  of  the  bundle,  connecting  the  incoming 
key  edge  with  term  K  to  the  outgoing  plaintext  edge  with  term  K. 

Proposition  8  If  €  is  any  bundle,  there  is  an  equivalent  bundle  <t'  eontaining 
no  D-strands  of  the  form  — {|A'|}x-i  —K  +K .  The  resulting  bundle  <t' 
is  normal  if  is. 


3-4  Bridges  and  Bridge  Terms 


Of  special  interest  are  the  message  transmission  edges  that  come  after  all 
destructive  edges  and  before  all  constructive  edges  in  a  normal  penetrator 
path.  We  call  them  bridges. 

Definition  7  A  bridge  in  a  bundle  €  is  a  message  transmission  edge  m  ^  n 
embedded  in  a  subgraph  of  one  the  types  shown  in  Figures  10-13. 

If  m  ^  n  is  a  bridge,  then  its  bridge  term  is  term{m),  whieh  equals  term{n). 

A  bridge  is  simple  iff  its  bridge  term  is  simple,  that  is,  is  not  of  the  form  g  h. 


Any  edge  between  regular  nodes  is  an  external  bridge.  The  sonrce  m  of  a 
bridge  m  ^  n  is  never  on  a  constrnctive  penetrator  strand,  and  the  target 
n  is  never  on  a  destructive  penetrator  strand.  The  edge  tts  — is  the  only 
bridge  on  our  example  path  tt  from  Figure  3. 
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Fig.  13.  Internal  Bridge 

Proposition  9  Suppose  that  €  is  a  normal  bundle,  and  p  is  any  penetrator 
path  in  <t.  Then  p  traverses  exactly  one  bridge.  Any  destructive  edge  along  p 
precedes  the  bridge  of  p,  and  any  constructive  edge  on  p  follows  the  bridge  of 

p. 

Any  bundle  can  be  replaced  by  an  equivalent  bundle  <t'  in  which  all  bridges 
are  simple;  moreover  if  is  normal  so  is  <t' . 

Proof.  Consider  a  bridge  o  -AiS,  o  that  transmits  a  concatenated  term  g  h 
from  a  node  on  a  destructive  penetrator  node  or  regular  node  to  a  constructive 
or  regular  node.  Replace  the  bridge  by  a  graph  consisting  of  two  bridges: 


gh 


These  graph  operations  do  not  create  lonely  or  gregarious  negative  nodes  and 
do  not  introduce  cycles  in  the  graph.  Moreover  if  the  original  bundle  is  normal, 
that  is  contains  no  C-S  or  E-D  redundancies,  the  new  bundle  is  also  normal. 
□ 

By  this  proposition,  there  is  a  function  pbt(-)  from  paths  to  terms  that  is 
well-dehned  on  every  penetrator  path  in  normal  bundles.  Given  a  penetrator 
path  p,  pbt(p)  is  the  path  bridge  term  of  p,  which  is  the  bridge  term  of  the 
(unique)  bridge  on  p.  We  may  assume  that  pbt(p)  is  always  simple,  which  is 
to  say  either  an  atomic  value  or  an  encryption. 

The  bridge  tts  — carries  the  term  Na  A,  so  it  is  not  simple.  Applying  the 
construction  just  given  in  the  proof,  we  obtain  two  paths;  they  share  their 
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nodes  except  those  bordering  the  bridges.  One  path  has  bridge  term  iV^,  and 
the  other  has  bridge  term  A. 

A  bundle  with  simple  bridges  is  a  kind  of  worst  case  scenario,  because  the  pen- 
etrator  separates  and  re-concatenates  every  message  between  regular  nodes. 
However,  simple  bridges  lead  to  simple  proofs. 


3.5  Transforming  Edges  and  Transformation  Paths 


Given  a  test  of  the  form  n  n',  our  strategy  for  proving  the  authentication 
test  results  is  to  consider  the  paths  leading  from  n  to  n'.  Because  there  is  a 
value  a  originating  uniquely  at  n,  and  it  is  received  back  at  n',  there  must 
be  a  path  leading  from  n  to  n'  (apart  from  the  trivial  path  that  follows  the 
strand  from  n  to  n').  Moreover,  since  a  is  received  in  a  new  form  at  n',  there 
must  be  a  step  along  the  path  that  changes  its  form;  this  is  a  transforming 
edge.  The  incoming  and  outgoing  authentication  test  results  codify  conditions 
under  which  we  can  infer  that  a  transforming  edge  lies  on  a  regular  strand. 

Our  proofs  focus  on  the  transformation  paths  leading  from  n  to  n'  that  keep 
track  of  a  “relevant”  component  containing  a.  The  relevant  component  changes 
only  when  a  transforming  edge  is  traversed,  and  a  occurs  in  a  new  component. 

We  regard  the  edge  n  n'  as  a  transformed  edge,  because  the  same  value  a 
occurs  in  both  nodes,  but  node  n!  contains  a  in  transformed  form. 

Definition  8  The  edge  ni  n2  is  a  transformed  edge  for  a  G  A  [respec¬ 
tively,  a  transforming  edge  for  a  G  A]  if  ni  is  positive  and  n2  is  negative 
[respectively,  ni  is  negative  and  n2  is  positive],  a  \Z  termijii),  and  there  is  a 
new  component  t2  of  n2  such  that  a\Z  t2. 

Thus,  a  transformed  edge  emits  a  and  later  tests  for  its  presence  in  a  new 
form.  A  transforming  edge  receives  a  and  later  emits  it  in  transformed  form. 
We  have  chosen  to  interpret  a  “form”  in  which  a  occurs  as  a  component  in 
which  it  occurs.  Considering  again  Si  G  NSInit[A,  H,  A^,  W],  the  first  two 
nodes 

+  ^  -dA'a/Vl.Sii-. 

are  a  transformed  edge  for  Na,  while  the  second  and  third  nodes 

are  a  transforming  edge  for  Af,.  Conversely,  for  Sr  G  NSResp[A,  B,  Na,  Af,],  the 
hrst  two  nodes  are  a  transforming  edge  for  Na,  while  the  second  and  third 
nodes  are  a  transformed  edge  for  A;,. 


18 


Definition  9  A  transformation  path  is  a  path  for  which  each  node  Ui  is  la¬ 
belled  by  a  component  £*  ofui  in  such  a  way  that  =  £j_|_i  unless  Ui  nj+i 
and  £i+i  is  new  on  the  strand  ofui+i. 

We  can  regard  a  transformation  path  as  a  sequence  of  pairs  (n*,  £*)  consisting 
of  a  node  and  a  component  of  that  node.  If  £*  7^  £i+i  and  a  C  £*  and 
a  \Z  £j+i,  then  ui  Uj+i  is  a  transforming  edge  (Definition  8)  for  a.  This  is 
the  explanation  for  the  name,  transformation  path.  The  sequence 


{{7r,,i^NaA^K,),  {7r2ANaAU,),  (71^,^), 

(7r4,W),  (7r5,fliV„A^xJ,  {TTeANaA^,)  ) 

is  a  transformation  path  for  W-  We  could  also  choose  a  longer  example  from 
Figures  2  and  3,  because  the  path  p  need  not  be  a  penetrator  path,  and  need 
not  terminate  when  a  regular  node  is  reached. 

By  inspecting  the  forms  of  penetrator  strand  (Definition  23),  we  observe: 

Proposition  10  If  {p,  £)  is  a  transformation  path  in  which  £*  7^  -Cj+i,  and  Pi 
is  a  penetrator  node,  then  pi  pj+i  lies  either  on  a  D-strand  or  an  E-strand. 

The  next  proposition  states  that  given  a  node  such  as  it  is  possible  to 
construct  a  transformation  path  like  the  one  we  have  just  given,  leading  back 
to  a  node  at  which  W  originates. 

Proposition  11  Suppose  €  is  a  bundle  in  S  with  n'  G  <t,  and  suppose  a  \Z  t 
where  t  is  a  component  of  n' .  There  is  a  transformation  path  p  in  such  that 
a  originates  at  pi,  i{p)  =  n' ,  £|p|  =  t,  and  a  \Z  Hi  for  all  i. 

We  may  choose  p  so  as  not  to  traverse  the  key  edge  of  a  D-  or  E-strand. 

Proof.  We  will  construct  the  path  p  backwards.  Let  ni  =  n',  let  £1  =  t,  and 
suppose  that  (inductively)  we  have  a  transformation  path 

(R/c+I)  £fc+i)  '  ^  (Rfc)  £fc)  '  ^  ■  ■  ■ '  ^  (R1)  "^i) 

such  that  a  \Z  Hj  for  all  j  in  the  path.  If  a  originates  at  Uk+i  then  p  is  complete. 
So  suppose  Uk+i  does  not  originate  at  Uk+i. 

If  Uk+i  is  negative,  then  €  contains  a  unique  nk+2  such  that  nk+2  — ^  Rfc+i- 
Extend  p  backwards  to  {nk+2,  £fc+i)- 

Suppose  Uk+i  is  positive,  and  Hk+i  is  new.  There  exists  a  node  nk+2 
nk+i  such  that  a  \Z  term(nfc+2),  since  a  does  not  originate  at  n^+i.  Extend  p 
backwards  to  contain  some  such  nk+2  and  let  £^+2  be  any  component  of  nk+2 
which  contains  a. 
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If  £fc+i  is  not  new,  then  there  is  a  node  nk+2  such  that  term(nfc+2) 

has  component  £fc+i.  Extend  p  backwards  to  {nk+2i^k+i)- 

Observe  that  if  n^+i  is  the  positive  (ciphertext)  node  on  a  E-strand,  then  we 
may  select  the  plaintext  node  as  nk+2i  because  it  does  contain  a,  and  the 
ciphertext  is  new.  If  Uk+i  is  the  positive  (plaintext)  node  on  a  D-strand,  then 
we  may  select  the  ciphertext  node  as  nk+2-,  because  it  does  contain  a,  and  the 
plaintext  is  new  (by  Proposition  8).  Thus,  p  never  traverses  a  key  edge. 

Because  is  a  well-founded  relation  (Proposition  27)  and  i  <  j  implies 
Hj  -<£  Hi,  eventually  Uj  is  a  node  at  which  a  originates.  □ 

Proposition  12  Suppose  p  is  a  transformation  path  such  that  a  C  £*  for 
every  i  and  £i  Sin-  Then  p  has  a  transforming  edge  for  a. 

Proof.  Argue  by  contradiction.  If  there  is  no  transforming  edge  for  a  in 
the  path,  then  for  every  edge  (pi,£j)  (pj+i,£j+i)  in  p,  there  is  no  new 

component  in  pi+i  containing  a.  By  dehnition  of  transformation  path,  this 
means  Sli  =  £j+i.  So  in  particular,  £i  =  £„.  □ 

In  the  case  of  our  path  n,  the  edges  7r2  ^  tts  and  714  tts  are  transforming 
edges.  Note  that  tts  lies  on  a  D  strand  and  tts  lies  on  a  E  strand;  they  are 
the  values  pg  and  Pa  mentioned  in  the  next  proposition  (respectively).  The 
proposition  also  entails  that  the  distinguished  component  £1,  which  may  be  a 
subterm  of  term(pi),  stands  on  its  own  as  the  whole  of  some  message  term(p^). 

Proposition  13  Suppose  C  is  a  normal  bundle. 

(1)  Let  (p,  C)  he  a  transformation  path  in  C  such  that  p  is  a  penetrator  path 
and  term{pi)  is  simple.  There  is  a  smallest  index  a  such  that  term{pa)  = 
Ci  =  C\p\,  for  all  i  such  that  a  <  i  <  \p\. 

Moreover,  if  C  is  not  constant  then  Pa  is  the  positive  node  of  an  E- 
strand. 

(2)  Let  (p,  C)  he  a  transformation  path  in  C  such  that  p  is  a  penetrator  path 
and  term{i{p))  simple.  Either  C  is  constant  or  there  is  a  smallest  in¬ 
dex  f3  such  that  Eg  ^  C.\.  The  positive  node  pg  lies  on  a  D-strand  and 
term{pg_i)  =  Eg_i. 

In  either  case,  there  is  an  index  f3  such  that  term{pg)  =  £4. 

Proof.  New  components  of  penetrator  strands  occur  only  on  D-strands  or 
E-strands.  Since  p  is  a  penetrator  path,  £j+i  7^  £j  if  and  only  if  pj+i  is  the 
positive  node  of  an  E-strand  or  the  positive  node  of  a  D-strand.  If  pj+i  is  the 
positive  node  of  a  E-strand,  then  term(pj_|_i)  is  an  encrypted  term  and  therefore 
term(pj+i)  has  only  one  component.  Therefore,  term(pj+i)  =  £i+i.  If  pj+i  is 
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Fig.  14.  An  Inefficient  Bundle  for  a  Fictitious  Protocol 

the  positive  node  of  a  D-strand,  then  pi  is  an  encrypted  term  so  that  similarly 
term(pj)  =  £*. 


Notice  that  if  C  is  constant  and  term(pj)  is  simple,  then  term(pj)  consists  of 
a  single  component,  and  =  term(pj).  Hence,  £i  =  C\p\  =  term(pj).  □ 


3.6  Efficient  Bundles 


Definition  10  A  bundle  is  efficient  if  and  only  if,  for  every  node  m  and  neg¬ 
ative  penetrator  node  n,  if  every  component  of  n  is  a  component  of  m,  then 
there  is  no  regular  node  m'  such  that  m  A  m'  A  n. 

We  call  a  bundle  of  this  kind  efficient  because  the  penetrator  does  the  most 
with  what  he  has  rather  than  making  use  of  additional  regular  nodes. 

The  bundles  we  show  in  Figure  1  and  Figures  2-3  are  efficient.  Whenever  the 
penetrator  node  handles  a  term,  there  is  no  earlier  node  that  has  all  the  same 
components,  and  a  regular  node  has  been  traversed  in  between.  However,  in 
the  case  of  the  nonsensical  variant  of  the  Needham-Schroeder  protocol  shown 
in  Figure  14,  the  edge  marked  ^  would  need  to  be  removed,  and  replaced 
with  the  dashed  diagonal.  The  negative  penetrator  node  n  must  not  receive 
its  term  from  the  third  initiator  node,  when  it  can  be  obtained  directly  from 
the  hrst  initiator  node.  We  can  always  replace  a  bundle  by  an  efficient  one, 
and  we  can  do  so  without  interfering  with  the  Normal  Form  Lemma: 

Proposition  14  Any  bundle  is  equivalent  to  an  effieient  bundle  <t' .  may 
be  chosen  such  that  n  E  €  implies  n  E  If  a  bundle  is  effieient,  then  it  has 
an  equivalent  normal  bundle  which  is  also  efficient. 

Proof.  Consider  a  negative  penetrator  node  n  and  a  node  m  such  that  every 
component  of  n  is  a  component  of  m.  We  show  how  to  modify  d  by  graph  op- 
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erations,  so  that  in  the  resulting  bundle  there  will  be  no  regular  node  between 
m  and  n  in  the  ordering  -<. 

For  each  component  to  of  add  an  arrow  m  into  a  cluster  St^  of  S  strands 
to  extract  the  term  to-  This  is  possible  since  to  IZ0  term(m).  We  refer  to  the 
positive  S  node  whose  term  is  to  as 

We  can  now  add  arrows  from  the  nodes  into  a  cluster  of  C  nodes  from 
which  emerges  an  arrow  whose  term  is  term(n).  Observe  that  we  have  not 
omitted  nodes,  but  have  simply  added  penetrator  nodes  on  S  and  C  strands. 

Since  n  is  negative,  there  is  a  unique  incoming  arrow  — n  in  (t.  By  graph 
operations  we  can  replace  — n  with  the  arrow  emerging  from  the  cluster  of 
C  strands.  The  resulting  graph  has  no  cycles,  and  no  lonely  or  gregarious 
negative  nodes  are  created  by  this  graph  operation.  In  the  new  bundle,  the 
nodes  m  and  n  are  not  connected  by  any  path  which  has  an  intermediate 
regular  node.  These  operations  add  a  new  set  of  nodes  A  to  the  graph,  but 
each  of  these  new  nodes  can  only  be  reached  (from  below)  by  paths  which 
traverse  m. 

To  show  that  any  efficient  bundle  has  an  equivalent  normal  efficient  bundle, 
it  suffices  to  show  that  the  graph  operations  used  to  eliminate  redundancies 
in  Proposition  2  preserve  efficiency.  The  only  graph  operation  which  might 
destroy  efficiency  is  adding  a  message  transmission  edge  between  two  nodes. 
However,  these  nodes  are  connected  in  the  original  bundle  by  a  path  which 
only  traverses  penetrator  nodes.  Thus  no  new  paths  connecting  a  regular  node 
to  a  shadowed  node  can  appear  in  the  modified  graph.  □ 


In  efficient  bundles,  no  transformation  path  ever  needs  to  revisit  the  same  dis¬ 
tinguished  component  that  occurs  in  an  “earlier”  transformation  path  (where 
“earlier”  means  that  there  is  a  regular  node  between  the  end  of  one  and  the 
beginning  of  the  other): 

Proposition  15  Suppose  C  is  a  normal  efficient  bundle  and  {p,  C)  and  {p',  C) 
are  transformation  paths  in  C.  Assume  p  is  a  penetrator  path  which  starts  at  a 
simple  term,  p'  is  a  penetrator  path  which  ends  at  a  simple  term,  and  there  is 
some  regular  node  m  such  that  i{p)  -<  m  -<  p[.  Then  for  all  i  with  1  <  i  <  \p\ 
and  j  with  I  <  j  <  \p'\,  £). 

Proof.  Choose  f,j;  by  Proposition  13,  there  are  indices  a  <  i  and  P  >  j 
such  that  term(pQ,)  =  and  term(p(j)  =  £).  In  particular,  pa  -<  m  -<  p'j^ 
and  term(pQ,),  ieim.{p'iP)  both  have  single  components.  Therefore,  by  bundle 
efficiency,  term(pQ,)  7^  teiv[i{p'p),  or  equivalently  □ 
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4  A  Method  for  Authentication 


In  this  section  we  describe  our  method  for  establishing  authentication  results. 
We  hrst  show  how  to  establish  whether  keys  are  accessible  to  the  penetrator 
or  not  (Section  4.1).  We  dehne  three  kinds  of  authentication  tests,  and  state 
a  theorem  about  each  one,  showing  what  other  regular  nodes  must  exist  in  a 
bundle,  if  that  bundle  contains  an  example  of  an  authentication  test.  We  will 
illustrate  the  first  authentication  test  result  using  the  Needham-Schroeder  and 
Needham-Schroeder-Lowe  protocols.  Proofs  are  gathered  in  Section  4.3,  after 
the  main  ideas  have  been  explained  and  illustrated. 

In  the  next  section  (Section  5),  we  will  apply  these  authentication  test  theo¬ 
rems  to  additional  examples.  A  surprising  amount  of  protocol  verihcation  and 
discovery  of  counterexamples  can  be  derived  directly  from  the  results  of  the 
current  section. 


4-1  Penetrable  Keys  and  Safe  Keys 


Given  a  strand  space  S,  we  can  inductively  dehne  the  set  of  keys  that  may 
become  known  to  the  penetrator.  We  use  the  relation  \Zsi  dehned  in  Dehni- 
tion  22;  tg  t  means  that  tg  occurs  as  a  subterm  of  t  in  a  position  where  all 
encryptions  surrounding  it  use  keys  K  E  Thus,  either  t  can  be  constructed 
from  tg  simply  by  (possibly  repeated)  concatenation,  or  else  t  can  be  written 
in  the  form 

...  H  ...  to  ■  ■  ■  ■  ■  ■ 

where  K  E  ^  and  the  dots  hide  only  concatenations  and  other  encryptions 
with  keys  in  The  set  means  the  set  of  inverses  of  keys  in  For  instance, 
let  5  =  {Kb}  =  {Kb^}-\  Then  A,  C5  Moreover,  N,  Cg 

N,{NaA}Ks- 


In  the  base  case  of  this  dehnition  we  refer  to  Kqj,  which  is  the  set  of  keys  known 
to  the  penetrator  initially,  apart  from  any  protocol  activity  (Dehnition  23). 

Definition  11  Let  Pg  =  Kqj. 

Let  Pj+i  =  PiUY,  where  K  E  Y  if  and  only  if  there  exists  a  positive  regular 
node  n  eTi  and  a  term  t  sueh  that: 

(1)  t  is  a  new  component  of  n,  and 

(2)  K  t 

P  =  u  P*. 
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Thus,  either  a  penetrable  key  is  already  penetrated  (K(p),  or  else  some  regular 
strand  puts  it  in  a  form  that  could  allow  it  to  be  penetrated,  because  for 
each  key  protecting  it,  the  matching  decryption  key  is  already  penetrable. 
The  justihcation  for  this  dehnition  is  that  any  key  that  becomes  available  to 
the  penetrator  in  any  bundle  is  in  fact  a  member  of  P. 

Proposition  16  Let  €  be  a  bundle  with  n  E  €  and  term{n)  =  K.  Then 
K  eP. 

The  proof  is  contained  in  Section  4.3.1.  P  is  a  conservative  approximation. 
It  may  be  larger  than  the  set  of  keys  that  the  penetrator  can  really  capture, 
because  the  strand  that  would  put  the  key  in  danger  may  not  be  contained  in 
any  bnndle. 

Definition  12  Let  So  be  the  set  of  keys  K  such  that  K  ^  Kqj  and  there  is  no 
positive  regular  node  n  E  T  and  term  t  such  that  t  is  a  new  component  of  n 
and  K  \Zt. 

Let  Sj+i  be  the  set  of  keys  K  such  that  K  ^  Kqj,  and  for  every  positive  regular 
node  n  E  T  and  new  component  t  of  n,  every  occurrence  of  K  int  lies  within 
an  encryption  using  some  key  Kq  where  E  S*.' 

...  ^  ...  K  ■■■  ■■■ 

S  =  UjSi.  When  K  E  S,  we  say  that  K  is  safe  in  S. 

Evidently,  the  set  of  safe  keys  is  disjoint  from  P.  However,  there  are  strand 
spaces  S  in  which  there  are  keys  K  snch  that  K  ^  P  U  S. 

In  practice,  protocol  secrecy  goals  freqnently  amonnt  to  showing  that  certain 
keys  are  in  either  Sq  or  Si.  Larger  valnes  of  i  seem  rarely  to  occur  in  these 
protocols.  Showing  that  a  private  key  or  a  long-term  symmetric  key  is  in  Sq 
typically  rednces  to  checking  that  it  is  assnmed  not  to  be  in  Kqj,  because 
protocols  generally  avoid  emitting  terms  containing  these  keys. 

For  instance,  in  the  Needham-Schroeder  protocol,  if  n  is  a  regnlar  node,  then 
K  term(n).  Hence,  So  =  K\K(p,  which  says  that  any  key  not  initially  known 
to  the  penetrator  is  permanently  safe. 

Many  protocols  expect  session  keys  to  be  generated  by  a  key  server,  which 
sends  them  encrypted  in  the  long-term  keys  of  two  principals,  and  no  principal 
ever  re-encrypts  a  session  key  nnder  a  new  key.  In  a  particular  session,  a  session 
key  K  may  be  sent  encrypted  with  long  term  keys  not  in  Kqj  (or,  if  they  are 
asymmetric,  their  inverses  are  not  in  Kqj).  If  the  server  never  re-sends  the  same 
session  key  iL  in  a  different  session,  we  can  infer  that  iL  G  Si.  This  idea  is 
illustrated  in  Sections  5.1  and  5.2. 
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There  also  exist  protocols  in  which  the  session  key  is  translated,  in  the  sense 
that  it  is  sent  out  originally  encrypted  with  one  key  and  is  later  re-encrypted 
by  another  principal  under  a  new  key.  These  protocols  can  also  be  correct, 
although  they  demand  special  care.  The  TMN  protocol  is  a  (flawed)  exam¬ 
ple  [24].  In  the  case  of  a  correct  protocol  of  this  form,  it  may  be  necessary 
to  show  that  the  session  key  is  in  S2.  However,  the  fact  that  Sq  and  Si  cover 
typical  protocols  makes  this  method  for  proving  secrecy  particularly  easy  to 
use. 

One  can  also  prove  that  a  non-key  data  value  such  as  a  nonce  is  kept  secret 
in  a  protocol;  one  simply  shows  that  every  regular  component  containing  it  is 
of  the  form  where  K~^  G  S*.  Again,  typically  i  =  0  or  1.  We  call  t  a 

regular  component  if  there  is  a  regular  node  n  such  that  t  is  a  component  of 
term(n). 


4-2  The  Authentication  Tests 


Fix  some  strand  space  E.  We  identify  segments  of  regular  strands  called  tests 
whose  presence  will  guarantee  the  existence  of  other  regular  strands  in  the 
bundle;  they  are  strands  with  transforming  edges  operating  on  the  test  com¬ 
ponent. 

Definition  13  t  =  {|h[}-x  is  a  test  component  for  a  in  n  if: 

(1)  a  \Zt  and  t  is  a  component  of  n; 

(2)  The  term  t  is  not  a  proper  subterm  of  a  component  of  any  regular  node 
n'  e  E. 

The  edge  uq  ni  is  a  test  for  a  if  a  uniguely  originates  at  uq  and  uq  ni 
is  a  transformed  edge  for  a. 

Clause  2  in  the  definition  of  test  component  requires  test  component  not  to 
occur  as  a  more  nested,  proper  subterm  (Definition  21)  of  a  component  of  a 
regular  node,  because  then  the  test  component  might  be  transformed  “inad¬ 
vertently,”  so  to  speak,  when  the  larger  unit  is  processed  in  some  way.  In  that 
case,  the  penetrator  could  benefit  from  building  a  larger  term  to  send  to  a 
regular  participant,  who  might  then  emit  some  new  message  of  value  to  the 
penetrator. 

In  Needham-Schroeder,  if  Sr  G  NSResp[A,  H,  W,  A";,],  then  4\NaNb^KA  is  a 
test  component  for  W  in  {sr,2),  because  term((sr,2))  =  this 

component  does  not  occur  as  a  proper  subterm  of  any  other  regular  node.  As¬ 
suming  that  the  responder  B  chooses  to  be  uniquely  originating  at  (s^,  2), 
the  edge  (s^,  2)  (s^,  3)  is  a  test  for  Nb. 
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Fig.  15.  Outgoing  and  Incoming  Tests 


Tests  can  use  their  test  components  in  at  least  two  different  ways.  If  the 
uniquely  originating  value  is  sent  in  encrypted  form,  and  the  challenge  is  to 
decrypt  it,  then  that  is  an  outgoing  test.  If  it  is  received  back  in  encrypted 
form,  and  the  challenge  is  to  produce  that  encrypted  form,  then  that  is  an 
incoming  test.  These  two  kinds  of  test  are  illustrated  in  Figure  15. 

Definition  14  The  edge  Uq  rii  is  an  outgoing  test  for  a  in  t  =  k  if 

it  is  a  test  for  a  in  which:  K~^  ^  P;  a  does  not  occur  in  any  component  of  uq 
other  than  t;  and  t  is  a  test  component  for  a  in  no . 

The  edge  Uq  ni  is  an  incoming  test  for  a  in  ti  =  {|h|}x  if  it  is  a  test  for 
a  in  which  K  ^  P  and  ti  is  a  test  component  for  a  in  ni. 

If  ^  K(p  (hence  G  Sq),  then  the  edge  (s^,  2)  ^  {sr,  3)  is  an  outgoing 
test  for  Nf)  in  is  not  an  incoming  test  for  Nf,  in  because 

the  public  key  Kb  is  presumably  in  Kqj. 

The  three  authentication  test  results  that  follow  give  a  powerful  method  for 
establishing  the  authentication  goals  of  protocols.  The  results  with  their  proofs 
appear  in  Section  4.3.2  as  Propositions  19-21. 
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Fig.  16.  Authentication  Provided  by  an  Outgoing  Test 
The  Outgoing  Authentication  Test 


Authentication  Test  1  Let  (t  be  a  bundle  with  n'  G  (t,  and  let  n  n'  be 
an  outgoing  test  for  a  in  t. 


(1)  There  exist  regular  nodes  m,m'  E  €  such  that  t  is  a  component  of  m  and 
m  m'  is  a  transforming  edge  for  a. 

(2)  Suppose  in  addition  that  a  occurs  only  in  component  ti  =  of  m' , 

that  ti  is  not  a  proper  subterm  of  any  regular  component,  and  that  ^ 
P.  Then  there  is  a  negative  regular  node  m"  with  ti  as  a  component. 


The  meaning  of  this  assertion  is  illustrated  in  Figure  16.  In  this  diagram,  the 
two  nodes  marked  o  represent  n  and  n'.  The  result  assumes  that  a  originates 
uniquely  here  (shown  by  the  and  that  the  decryption  key  K~^  is  safe.  The 
diagram  does  not  represent  the  assumption  that  t  not  be  a  proper  subterm 
of  any  regular  component,  which  being  non-local  is  hard  to  display.  The  test 
establishes  that  also  contains  regular  nodes  m  and  m'  (marked  •  at  right) 
with  a  transforming  edge  for  a.  With  the  assumptions  on  ti  given  in  clause  2, 
there  is  also  a  negative  regular  node  m" ,  shown  with  a  •  on  the  bottom  line, 
of  which  ti  is  a  component. 


4. 2. 1.1  Outgoing  Tests:  The  Needham-Schroeder  Illustration  We 

may  illustrate  the  outgoing  authentication  tests  by  Needham-Schroeder.  As¬ 
sume  that  d  is  a  bundle,  and  the  d-height  of  Sr  G  NSResp[A,  B,  Na,  W]  is  3, 
which  means  that  all  three  nodes  of  Sr  belong  to  d.  Assume  that  ^  Kqj. 
Finally,  assume  that  Nb  originates  uniquely,  and  Nb  ^  Na  (which  together 
mean  that  Nb  originates  uniquely  at  (sr,2)). 

Hence,  the  edge  (sr,2)  (5^,3)  is  an  outgoing  test  for  Nb  in  l^Na  Nb^KA- 

By  Authentication  Test  1,  there  exist  regular  nodes  m,m'  G  d  such  that 
i^Na  Nb^KA  is  a  component  of  m  and  m  m'  is  a  transforming  edge  for  a. 
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The  only  negative  regular  node  containing  a  component  of  this  form  is  (sj,  2) 
for  Si  G  NSInit[A,  5',  iVa,  iVf,]  and  some  responder  B'.  Thus,  the  transforming 
edge  m  m!  must  be  (s^,  2)  (s^,  3),  and  Si  has  (t-height  3. 

Unfortunately,  we  have  not  proved  that  Sj  G  NSInit[74,  5,  iV^,  iV^]  for  the  ex¬ 
pected  responder  B,  rather  than  some  other  responder  B’ .  And  Figure  2  is 
a  counterexample  in  which  B'  =  P  ^  B.  Hence  we  have  uncovered  a  limi¬ 
tation  in  the  authentication  achieved  by  Needham-Schroeder,  first  noted  by 
Lowe  [12,  13],  which  led  Lowe  to  amend  the  protocol  to  contain  the  responder’s 
name  B  in  the  second  message  ^NaN^B^^A- 


4.2. 1.2  Needham-Schroeder-Lowe  Let  us  next  consider  a  strand  space 
S  in  which  the  regular  strands  are: 

•  For  Si  G  NSLInit[A,  B,  Na,  A";,],  traces  of  the  form: 

-{]«■<.  Aft 

•  For  Sr  G  NSLResp[A,  B,Na,  Nb],  traces  of  the  form: 

To  be  precise,  let  Tname  be  a  distinguished  set  within  A  with  Tname  C  T. 
NSLInit[A, -B,  Aa,  and  NSLResp[A,  H,  A^,  are  empty  unless  A,  R  G 
Tname;  ^a,  A^  G  T  but  A^,  Af,  ^  Tname-  In  addition,  we  assume  that  the  set 
of  responder  strands  NSLResp[A,  R,  A^,  A?,]  is  empty  unless  Nb  ^  Na.  This 
proof  of  the  correctness  of  the  protocol  depends  on  the  assumption  that  the 
“public  key  of”  mapping  /  :  A  i— >  Ka  is  injective. 

Assume  that  d  is  a  bundle,  and  the  d-height  of  Sr  G  NSLResp[A,  R,  A^,  A?,] 
is  3.  Assume  that  ^  Kqj.  Finally,  assume  that  Nb  originates  uniquely,  and 
Nb  7^  Na  (which  together  mean  that  Nb  originates  uniquely  at  (sr,2)). 

As  before,  it  follows  that  the  edge  (s^,  2)  ^  (s^,  3)  is  an  outgoing  test  for  Nb  in 
By  Authentication  Test  1,  there  exist  regular  nodes  m,m!  E  € 
such  that  ^NaNbB^KA  is  a  component  of  m  and  m  m!  is  a  transforming 
edge  for  a.  The  only  negative  regular  node  containing  a  component  of  this 
form  is  (sj,  2)  for  Si  G  NSLInit[A,  R,  A^,  A;,]. 

Thus,  the  transforming  edge  m  m!  must  be  (si,2)  {si,S),  and  s* 

has  d- height  3.  This  proves  that  the  responder  successfully  authenticates  the 
initiator  in  Needham-Schroeder-Lowe. 

We  will  also  prove  the  initiator’s  authentication  guarantee.  The  proof  is  very 
similar,  except  that  it  is  necessary  to  use  the  second  part  of  Authentication 


Test  1  as  well  as  the  first  part  of  it.  We  include  it  to  illustrate  the  use  of  this 
proof  method. 


Let  (t  be  a  bundle  in  S,  and  s*  be  an  initiator’s  strand  in  NSLInit[A,  B,  Na,  W] 
with  (t-height  3.  Assume  ^  Kqj,  and  suppose  that  Na  is  uniquely 

originating. 

The  edge  {si,  1)  ^  {si,  2)  is  an  outgoing  test  for  Na  in  {|  W  A'^Kbi  so  it  follows 
(by  Authentication  Test  1)  that  there  is  a  regular  transforming  edge  m  m' 
in  (t  with  ^NaA'^KB  ^  component  of  the  negative  node  m.  This  implies  that 
m,  m'  are  the  first  two  nodes  of  a  responder  strand  Sr  G  NSLInit[A,  B,  Na,  A^]. 
In  this  step,  we  used  the  assumption  that  ^  Kqj,  from  which  it  follows 
that  ^  P. 

However,  we  cannot  yet  be  sure  whether  N  =  W.  To  infer  that  B  has  sent  out 
the  same  nonce  W  that  A  eventually  receives,  we  use  Part  2  of  Authentication 
Test  1.  It  implies  that  {|A(j  A^  is  a  component  of  some  negative  regular 

node  m".  However,  m"  can  only  be  (s',  2)  for  some  s'  G  NSLInit[A,  B,  Na,  A^], 
since  only  the  second  node  of  an  initiator  strand  receives  a  component  of  this 
form.  By  the  form  of  an  initiator  strand,  Na  originates  at  (s',  1).  Since  Na  is 
uniquely  originating,  it  follows  that  (s',  1)  =  (s*,  1),  so  s'  =  s*  and  N  =  Nf,.  In 
this  step,  we  used  the  assumption  that  ^  Kqj,  from  which  it  follows  that 

Ka^  ^  P- 

Thus,  we  have  shown  that  contains  a  responder  strand 

Sr  G  NSLResp[A,  B,  Na,  A"?,] 

with  (t-height  2.  This  proves  that  the  initiator  successfully  authenticates  the 
responder  in  Needham-Schroeder-Lowe. 


4-2.2  The  Incoming  Authentication  Test 

An  authentication  test  result  for  incoming  tests  can  be  used  to  infer  the  exis¬ 
tence  of  a  regular  transforming  edge  in  protocols  in  which  a  nonce  is  emitted 
in  plaintext,  for  instance  as  a  challenge,  and  later  received  in  encrypted  form. 

Authentication  Test  2  Let  (t  be  a  bundle  with  n'  G  (t,  and  let  n  n'  be 
an  incoming  test  for  a  in  t' .  Then  there  exist  regular  nodes  m,m'  E  €  such 
that  t'  is  a  component  of  m'  and  m  m'  is  a  transforming  edge  for  a. 

The  meaning  of  this  assertion  is  illustrated  in  Figure  17  using  the  same  con¬ 
ventions  as  in  Figure  16.  We  will  apply  the  incoming  authentication  test  in 
Sections  5.2  and  5.3. 
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Fig.  17.  Authentication  Provided  by  an  Incoming  Test 

Although  in  this  paper  we  will  make  no  use  of  it,  the  outgoing  and  incoming 
authentication  tests  also  establish  an  ordering  on  the  nodes,  as  n  occurs  before 
m  and  m! ,  while  n'  occurs  after.  The  nodes  are  ordered  n  -<  m  -<  m!  -<  n'  in 
the  causal  ordering  given  in  Dehnition  20.  The  principal  executing  n  and  n' 
can  regard  a  session  key  generated  at  m'  as  “fresh,”  because  it  was  created 
more  recently  than  the  beginning  of  his  current  run. 

The  authentication  tests  are  also  valid  when  n  and  v!  are  not  actually  on  the 
same  strand,  but  n  is  a  node  known  to  be  in  a  bundle  and  to  have  uniquely 
originated  the  test  value  a,  and  n'  is  a  node  on  a  different  strand  that  later 
receives  a  in  transformed  form. 


4.2.3  The  Unsolicited  Authentication  Test 

The  authentication  property  achieved  by  an  unsolicited  test  is  less  informative, 
but  frequently  useful,  for  instance  when  a  key  server  anthenticates  its  clients. 
We  will  illustrate  authentication  via  unsolicited  tests  in  Sections  5. 1-5. 2. 

Definition  15  A  negative  node  n  is  an  unsolicited  test  for  t  —  if  t  is 

a  test  component  for  any  a  in  n  and  K  ^  P. 

Anthentication  Test  3  Let  €  be  a  bundle  with  n  E  €,  and  let  n  be  an  un¬ 
solicited  test  for  t  =  {|h|}x-  Then  there  exists  a  positive  regular  node  m  E  € 
such  that  t  is  a  component  of  m. 


4.2.4  Usage  of  Authentication  Tests 

When  asymmetric  cryptography  is  in  use,  incoming  and  outgoing  tests  are 
used  in  different  ways,  as  an  outgoing  test  requires  that  K~^  4L  P,  while  an 
incoming  test  requires  that  K  ^  P. 

An  outgoing  test  can  be  used  when  the  secrecy  of  the  nniquely  originating 
value  must  be  preserved.  In  that  case,  K  is  the  public  key  of  the  intended 
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interlocutor,  so  that  K~^  ^  P  (unless  the  private  key  has  been  compromised 
somehow).  This  method  is  used  in  Needham-Schroeder,  where  Na  is  transmit¬ 
ted  encrypted  in  the  public  key  of  the  responder,  and  returned  encrypted  with 
the  public  key  of  the  initiator.  Nf,  is  treated  dually. 

An  incoming  test  may  be  used  when  the  secrecy  of  the  value  is  not  important. 
Protocols  in  which  the  interlocutor  proves  its  presence  by  signing  a  freshly 
presented  value  with  a  private  key  use  an  incoming  test. 

When  symmetric  cryptography  is  in  use,  K~^  =  K,  so  we  do  not  have  this 
contrast.  Indeed,  in  many  cases  the  test  edge  has  the  form 
where  A'  is  a  long-term  shared  key  and  the  uniquely  originating  value  N  is  con¬ 
tained  in  both  t  and  t' .  Frequently,  t'  also  contains  a  fresh  session  key.  In  these 
cases,  we  may  regard  the  test  edge  as  an  outgoing  test  or  an  incoming  test; 
both  dehnitions  apply.  The  Otway-Rees  protocol  is  an  example  (Section  5.1). 
Below,  we  choose  arbitrarily  to  regard  it  as  an  outgoing  test. 

Protocols  using  symmetric  cryptography  that  do  not  safeguard  the  secrecy  of 
the  uniquely  originating  value  may  use  a  test  edge  that  is  either  an  outgoing 
test  or  an  incoming  test  (but  not  both).  The  edge  is  an  outgoing  test  if  the 
challenge  value  N  is  transmitted  encrypted  and  the  interlocutor  proves  its 
presence  by  decrypting  it.  In  this  case,  the  edge  has  the  form  ^t'^K  N, 
where  N  \Z  t.  We  have  not  illustrated  a  protocol  of  this  kind  here. 

The  edge  is  an  incoming  test  if  it  has  the  form  N  and  Neuman- 

Stubblebine  illustrates  this  case  (Section  5.2),  as  does  the  Woo-Lam  protocol 
(Section  5.3). 

An  unsolicited  test  is  the  only  way  for  a  key  server  to  authenticate  the  prin¬ 
cipals  that  request  a  key  from  it.  This  is  the  primary  (though  not  exclusive) 
reason  why  it  occurs  in  protocols  using  symmetric  cryptography. 


4-3  Proving  the  Method  for  Authentieation  Correet 


In  this  section  we  will  justify  our  method  for  establishing  authentication  re¬ 
sults.  We  first  prove  Proposition  16,  justifying  our  treatment  of  secrecy.  We 
then  prove  theorems  establishing  the  three  kinds  of  authentication  test  which 
so  many  protocols  use.  Each  authentication  test  establishes  the  existence  of 
regular  nodes,  typically  forming  a  transforming  edge  (Section  4.3.2). 
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4-. 3.1  Keys  Available  to  the  Penetrator  are  Penetrable 

Proposition  17  Let  €  be  a  bundle  with  n  E  €  and  term{ri)  =  K.  Then 
K  eP. 

Proof.  By  Propositions  5  and  14,  we  may  assnme  that  d  is  normal  and 
efficient.  We  argue  by  induction  on  the  well-founded  relation  Our  induction 
hypothesis  is  that,  for  all  n'  -<£  n,  term(n')  G  K  implies  term(n')  G  P. 

By  Proposition  11,  we  may  let  (p,  £)  be  a  transformation  path  such  that 
l{p)  =  n,  K  originates  at  pi,  and  iP  C  £*  for  all  i  with  1  <  i  <  |p|.  If  |p|  =  1 
and  n  is  a  penetrator  node,  then  n  is  a  K  node,  so  K  E  Kqj.  Otherwise,  because 
d  is  normal  and  efficient,  pi  is  not  a  penetrator  node  (which  could  only  be  a 
K  node). 

Since  pi  is  a  regular  node,  there  are  regular  nodes  on  p,  and  we  may  let  px 
be  the  last  regular  node  on  p.  Since  d  is  normal  and  term(£(p))  is  an  atomic 
term,  the  penetrator  path 


Pa  I — ^  •  I — ^  ^(p) 

is  a  falling  path;  by  Proposition  11  it  traverses  no  D  strand  key  edges. 

By  the  induction  hypothesis,  each  time  p  traverses  a  D  strand  s  from  ciphertext 
node  to  plaintext  node,  then  the  key  edge  on  s  contains  a  key  Kq  E  P.  By 
Proposition  7,  K  iZp-i  Six,  where  Six  is  the  distinguished  component  ofpA-  To 
show  that  K  E  P,  we  need  only  show  that  Six  occurs  new  on  some  positive 
regular  node. 

Let  n  be  the  least  index  such  that  =  Six  for  alH  for  k  <  i  <  A.  If  p^  is  a 
regular  node,  then  2x  is  a  new  component  of  p^  by  the  choice  of  n.  However, 
if  Pk  is  a  penetrator  node,  then  it  lies  either  on  a  D  or  on  a  E  strand,  either 
of  which  has  a  simple  node.  However,  by  Proposition  15,  this  contradicts  the 
assumption  that  d  is  efficient.  □ 


4-3.2  Proofs  of  the  Authentieation  Tests 

A  regular  eomponent  is  a  term  that  is  a  component  of  some  regular  node. 

Proposition  18  Suppose  (p,  C)  is  a  transformation  path  traversing  no  key 
edges  sueh  that  pi  and  i{p)  are  regular  and  Ci  ^  C\p\. 

(1)  Let  Cl  be  of  the  form  {|hi|}xi-  Suppose  that  Ci  is  not  a  proper  subterm 
of  any  regular  eomponent,  and  suppose  that  ^  P. 

If  a  is  the  smallest  index  sueh  that  Ca  ^  Ca+i,  then  Pa  is  regular. 
Moreover,  pa  Pa+i  is  a  transforming  edge. 
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(2)  Let  C\p\  he  of  the  form  {|/iA|}xA-  Suppose  that  C\p\  is  not  a  proper  subterm 
of  any  regular  component,  and  suppose  that  K\  ^  P. 

If  a  is  the  largest  index  such  that  Ca  7^  La-i,  then  pa  is  regular. 
Moreover,  Pa-i  Pa  is  a  transforming  edge. 

Proof.  We  prove  item  1.  The  proof  of  2  is  analogous.  Suppose  pa  is  not 
regular.  Then  p^  Pa+i  lies  either  on  a  D-strand  or  an  E-strand. 

In  the  D-strand  case  term(pQ,)  =  But  then  the  key  edge  contains 

which  by  Proposition  17  entails  G  P. 

So  suppose  that  pa  Va+i  lies  on  an  E-strand,  in  which  case  Ca  is  a  proper 
subterm  of  Ca+i  =  term(pQ,_|_i).  Since  C  is  normal  and  Pa  Va+i  is  con¬ 
structive,  every  penetrator  edge  between  pa  and  the  next  regular  node  p^  on 
p,  which  exists  since  I{p)  is  regular,  is  constructive. 

By  Proposition  6,  the  path  Pa  ' — >  . . .  ' — >■  Pg  is  rising,  so  Ci  =  £„  is  a  proper 
subterm  of  Ca+i  which  in  turn  is  a  subterm  of  term(p^).  This  contradicts  the 
assumption  that  Ci  is  not  a  proper  subterm  of  any  regular  component. 

Pa  Pa+i  is  a  transforming  edge  because  Ca+i  is  a  new  component  on  the 
strand  of  Pa+i.  □ 

Proposition  19  Let  C  be  a  normal  bundle  with  n'  G  C,  and  let  n  n'  he 
an  outgoing  test  for  a  in  t.  Then  there  exist  regular  nodes  m,m'  E  C  such  that 
t  is  a  component  of  m  and  m  m'  is  a  transforming  edge  for  a. 

Suppose  in  addition  that  a  occurs  only  in  component  ti  =  {|hi|}i^j  of  m' . 
Suppose  that  ti  is  not  a  proper  subterm  of  any  regular  component,  and  suppose 
that  ^  P.  Then  there  is  a  negative  regular  node  with  ti  as  a  component. 

Proof.  Because  n  n'  is  a  transformed  edge  for  a,  there  is  a  new  compo¬ 
nent  t’  of  n'  with  a\Zt'. 

By  Proposition  11,  there  is  a  transformation  path  (p,  C)  in  C  with  pi  =  n, 
i{p)  =  n' ,  C\p\  =  t' ,  and  a  \Z  Ci  for  all  i.  Since  t'  is  new  in  n' ,  Ci  7^  t' .  In  fact, 
because  a  occurs  in  no  component  of  n  other  than  t,  Ci  =  t.  In  particular. 

Cl  7^  C\p\. 


By  the  hrst  part  of  Proposition  18,  the  smallest  index  a  such  that  Ca  7^  Ca+i 
is  such  that  Pa  is  regular.  Moreover,  pa  Pa+i  is  a  transforming  edge.  It 
follows  that  t  =  £1  =  £q,  is  a  component  of  m  =  Pa- 

Consider  now  the  additional  assumptions  on  the  components  of  m'  =  Pa+i- 
Since  Ca+i  is  a  component  of  term(m')  that  contains  a  as  subterm  and  a 
occurs  only  in  component  ti  =  f^hi^Xi,  Ca+i  =  ti. 
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If  ti  =  t'j  then  n'  itself  is  a  negative  regular  node  with  ti  as  a  component. 
Otherwise,  apply  Proposition  18  again  to  conclude  that  smallest  index  f3  > 
a  +  1  such  that  £/?  7^  ^/3+i  is  such  that  pp  regular.  Now  ti  =  Ca+i  =  Cp  is  a. 
component  oi  pp.  □ 

Proposition  20  Let  C  be  a  normal  bundle  with  n'  G  C,  and  let  n  n'  be 
an  incoming  test  for  a  in  t' .  Then  there  exist  regular  nodes  m,m'  E  C  such 
that  t'  is  a  component  of  m'  and  m  m'  is  a  transforming  edge  for  a. 

Proof.  By  Proposition  11,  there  is  a  transformation  path  {p,C)  in  C  with 
Pi  =  n,  i{p)  =  n',  C\p\  =  P,  and  a  C  for  all  i.  Since  t'  is  new  in  n',  £1  7^  t' . 
In  particular,  Ci  7^  C\p\. 

By  the  second  part  of  Proposition  18  ,  the  largest  index  a  such  that  £q,  7^  £a-i 
is  such  that  Pa-\  is  regular.  Moreover,  Pa-i  Pa  is  a  transforming  edge.  In 
particular  t'  =  C\p\  =  £q,  is  a  component  of  m'  =  pa-  □ 

Proposition  21  Let  C  be  a  normal  bundle  with  n  E  C,  and  let  n  be  an  un¬ 
solicited  test  for  t  =  {|h|}i^.  Then  there  exists  a  positive  regular  node  m  E  C 
such  that  t  is  a  component  of  m. 

Proof.  By  Proposition  11,  there  is  a  key  edge  free  transformation  path  [p,  C) 
in  C  with  pi  =  n,  i{p)  =  n',  C\p\  =  t,  t  \Z  Ci  for  all  i  and  such  that  t  originates 
at  pi- 


Since  t  originates  at  pi,  pi  is  a  positive  node.  We  claim  pi  is  a  regular  node. 
Suppose  otherwise.  Since  t  \Z  pk,  Pk  is  neither  an  M-node  nor  a  K-node.  Since 
t  originates  at  pi,  pi  cannot  be  a  S-node,  a  C-node  nor  a  D-node. 

If  Pi  is  a  E-node,  then  pi  is  the  positive  ciphertext  (last)  node  on  a  E-strand. 
Since  K  ^  P,  t  is  a  proper  subterm  of  term(pi).  Hence  t  is  a  subterm  of  the 
plaintext  (hrst)  node  on  the  strand,  so  t  cannot  originate  at  pi  in  this  case 
either. 

Therefore,  pi  must  be  a  regular  node  as  claimed.  By  the  dehnition  of  test  com¬ 
ponent,  t  is  not  a  proper  subterm  of  any  component  of  pi,  so  t  is  a  component 
ofpi.  □ 


5  Protocol  Correctness  and  Protocol  Failnre 


In  this  section  we  apply  the  authentication  theorems  of  Section  4.2  to  sev¬ 
eral  additional  examples.  They  are  the  Otway-Rees  protocol  [19,  1,  26],  the 
Neuman-Stubblebine  protocol  [18,  25],  and  the  Woo-Lam  protocol  [27,  29]. 
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We  do  so  to  illustrate  the  ease  and  directness  with  which  these  theorems  lead 
to  authentication  results. 

It  is  remarkably  easy  to  hnd  the  outgoing,  incoming,  and  unsolicited  tests 
that  provide  a  protocol’s  authentication  guarantees,  assuming  that  the  pro¬ 
tocol  does  not  allow  its  test  components  to  occur  in  nested  contexts.  That 
would  violate  Clause  2  of  the  dehnition  of  test  component  (Dehnition  13). 
The  method  works  for  public-key  protocols,  and  for  shared  symmetric  key 
protocols  also. 

In  the  Otway-Rees  protocol,  each  of  the  initiator  and  the  responder  uses  an 
outgoing  test  to  authenticate  a  server  strand.  The  server  uses  an  unsolicited 
test  to  establish  that  the  initiator  and  responder  have  each  sent  a  message. 

The  Neuman-Stubblebine  protocol  uses  a  combination  of  incoming  tests  and 
unsolicited  tests.  It  is  a  two-part  protocol:  in  Part  I  the  initiator  and  respon¬ 
der  use  a  key  distribution  server  to  authenticate  one  another  and  acquire  a 
session  key.  In  Part  II  the  key  distribution  server  is  not  involved;  the  ini¬ 
tiator  re-presents  a  ticket  obtained  in  a  run  of  Part  I,  and  the  initiator  and 
responder  re-authenticate  one  another.  Part  I  is  valid  in  itself  [25]  (ignoring  an 
implausible  type-flaw  attack  [11]).  Part  II  is  flawed,  both  in  itself  [11]  and  in 
undermining  the  guarantees  that  Part  I  provides  in  isolation  [25].  We  will  use 
the  authentication  test  results  to  explain  both  why  Part  I  works  in  isolation, 
and  also  why  the  addition  of  Part  II  undermines  its  guarantees. 


5.1  The  Otway-Rees  Protocol 


The  Otway-Rees  protocol  (Figure  18)  uses  long-term  symmetric  keys  shared 
with  a  key  server  to  distribute  a  new  session  key  for  a  conversation  between  two 
clients.  The  protocol  does  not  establish  that  the  same  key  is  delivered  to  both 
A  and  B  [26] ,  only  that  if  either  Aoi  B  reaches  the  end  of  its  strand,  then  the 
other  has  submitted  the  expected  matching  original  request  AB'^Kbs 

or  l\NaM  AB'^Kas-  Also,  K  is  not  disclosed,  assuming  that  the  server  chooses 
a  uniquely  originating  session  key  K. 


5.1.1  Strand  Spaces  for  Otway-Rees 

The  regular  strands  are  dehned  to  be  of  the  form: 

(1)  “Initiator  strands”  in  Init[R,  B,  N,  M,  K],  which  have  trace: 

(+  M  AB^NM  A  -  M  JAf  A'J*-,,) 
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A 


B 


S 


Ml 


Mi 


1 

1 

1 


Ms 


Mi=MABlNaMAB\iKAs 
M2  =  M  AB^NaM  AB^Kis^^bM  AB^Kss 
M^  =  MlNaK^K^s^NbK^Kss 
Mi  =  Mi\NaK^K^s 


Fig.  18.  Message  Exchange  in  Otway-Rees 

(2)  ‘Responder  strands”  in  Resp[A,  R,  iV,  M,  K,  H,  H'],  which  have  trace: 

(  -  MABH, 

+  M  ABH  M  AB\^Kss^ 

-  MH'^NK^k.s. 

+  MB') 

(3)  ‘Server  strands”  in  Serv[yl,  R,  iVa,  iVf,,  M,  R']  with  trace: 


(-  M  AB^N^M  AB\^Kis^N,M  AB^k.s^ 

The  principal  active  in  Init[74,  R,  iV,  M,  R']  is  A,  while  the  active  principal  in 
Resp[A,  R,  N,  M,  K,  **]  is  R.  ^  We  dehne  LT  to  be  the  set  of  long-term  keys, 
i.e.  the  range  of  the  injective  function  Kas  for  A  G  Tname-  All  long-terms 
keys  are  symmetrical:  R'  G  LT  implies  K  =  K~^. 

We  will  use  three  side  assumptions. 

(1)  We  assume  that  the  responder’s  nonce  originates  on  that  strand,  which 
implies  that  Resp[A,  R,  iV,  M,  K,  R,  H']  =  0  if  iV  IZ  R. 

^  We  sometimes  use  an  asterisk  to  indicate  a  union  over  a  particular  argument 
position,  and  a  double  asterisk  to  indicate  a  union  over  all  remaining  argument  po¬ 
sitions.  Thus,  for  instance,  Serv[>i:,  K]  is  the  set  of  all  server  strands  emitting 

the  session  key  R;  Resp[yl,  R,  iV,  M,  R,  *>(:]  is  the  set  of  all  responder  strands  with 
initiator  A,  responder  R,  nonce  N ,  round  number  M,  session  key  R,  and  any  value 
of  the  remaining  parameters.  We  will  also  abbreviate  a  form  like  Serv[>f:,  *,  *,  *,  *,  R] 
to  Serv[>i=>i:,  K]. 
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(2)  We  assume  that  the  terms  H  and  H',  which  are  simply  forwarded  by 

the  responder  with  no  interpretation  or  processing,  contain  no  proper 
encrypted  subterms.  That  is,  {|5f|}x  T  if  and  7^  H  implies 

Resp[7l,  B,  N,  M,  K,  H,  H']  =  0; 

and  likewise  for  H' .  We  point  out  below  (Section  5.1.3)  that  this  assump¬ 
tion  does  not  mask  any  possible  failure  of  the  protocol. 

(3)  We  assume  that  the  server  generates  keys  in  a  reasonable  manner,  in  the 
sense  that  Serv[**,  if]  =  0  unless:  K  ^  Kqj;  K  =  K  is  uniquely  orig¬ 
inating;  and  K  ^  LT.  It  follows  from  the  nnique  origination  assnmption 
that  the  cardinality  |Serv[**,  if]|  <  1  for  every  if. 

An  assnmption  of  the  same  form  as  (2)  is  always  usefnl  when  a  principal 
forwards  an  encrypted  component  it  cannot  decrypt.  An  assnmption  of  the 
same  form  as  (3)  always  characterizes  the  intended  behavior  of  a  key  server. 
Let  S  be  a  strand  space  satisfying  these  three  conditions. 


5.1.2  Otway- Rees  Authentication 

Structurally,  Otway-Rees  achieves  its  authentication  guarantees  in  three  steps. 

(1)  The  long-term  keys  LT  are  not  disclosed  by  the  protocol.  Thus,  if  if  G  LT 
and  if  ^  Kqj,  then  if  G  Sq.  Hence,  if  the  server  distribntes  a  session  key 
if'  to  principals  with  uncompromised  keys,  then  if'  G  Si. 

(2)  The  server  strand  receives  an  unsolicited  test  that  anthenticates  the  initial 
positive  node  of  the  initiator  and  responder. 

(3)  The  initiator  strand  contains  an  outgoing  test  for  W  in  l\NaM  AB'^Kas'^ 
this  anthenticates  the  server  strand.  Likewise,  the  responder  strand  con¬ 
tains  an  ontgoing  test  for  W  in  HW  M  AB'^Kbs^  which  anthenticates  the 
server  strand. 

The  initiator  anthenticates  the  responder  only  in  that  it  authenticates  the 
server  strand,  which  has  authenticated  the  occurrence  of  the  responder’s  initial 
positive  node.  The  situation  is  symmetrical  for  the  responder  authenticating 
the  initiator. 

Because  K  ^  term(n)  for  long-term  keys  if  G  LT  and  regnlar  nodes  n,  Dehni- 
tion  12  immediately  entails  LT  C  Sq  U  Kqj.  Because  the  initiator  and  responder 
strands  emit  no  new  components  in  which  keys  occnr,  a  session  key  can  be 
compromised  only  if  the  server  sends  it  ont  encrypted  with  a  compromised 
long  term  key.  By  the  nniqne  origination  assnmption  on  session  keys,  if  it 
is  sent  ont  nnder  nncompromised  long  term  keys,  then  the  server  will  never 
re-use  it  with  compromised  long  term  keys.  Snmmarizing  this,  we  have: 
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Proposition  22  LT  C  SoUKqj.  I/Kas,  Kbs  ^  K<p  and  Serv[A,  B,  *,  *,  K]  ^ 

0  then  G  Si- 

Turning  now  to  the  server’s  authentication  guarantee,  we  use  unsolicited  tests. 

Proposition  23  Suppose  that  €  is  a  bundle  in  S;  A  ^  B;  Kas,Kbs  ^ 
and  s  G  Serv[A,  B,  Na,  Nh,  M,  *]  has  ^-height  1. 

Then  there  exist  Si  G  Init[74,  5,  Na,  M,  *]  and  Sr  G  Resp[A,  B,  Nb,  M,  **]  sueh 
that  Si  has  ^-height  1  and  Sr  has  ^-height  2. 

Proof.  The  terms  t^NaM  AB^Kas  AB'^^Kbs  unsolicited  tests, 

and  therefore  (Authentication  Test  3)  occur  on  positive  regular  nodes  in  (t. 
When  A  ^  B,  the  latter  occurs  positively  only  on  a  node  {sr,  2)  where  Sr  G 
Resp[A,  B,  Nb,  M,  **]. 


As  for  i^Na  M  A  B^Kas^  occur  positively  either  on  an  initiator  strand 

Si  G  lnit[A,  B,  Na,  M,*]  or  as  H  or  H'  in  a  strand  G  Resp[**,  if,  *]  or 
Resp[**,  H'].  Let  S  be  the  set  of  all  regular  nodes  in  having  {|  M  AB'^Kas 
as  a  component.  Since  S  is  non-empty,  it  has  a  ^£-minimal  member  no  (Propo¬ 
sition  27).  Since  neither  H  nor  H'  occurs  new  on  a  responder  strand,  no  can 
only  be  of  the  form  {si,  1)  for  Si  G  Init[A,  B,  Na,  M,  *].  □ 

li  A  =  B,  then  {|A  M  AB^Kas  =  ^  so  server  can  no  longer 

be  sure  that  both  an  initiator  strand  and  a  responder  strand  are  present. 
This  is  the  explanation  for  the  odd  attack,  attributed  to  Michael  Goldsmith, 
in  which  “the  responder  thinks  he  wants  to  talk  to  himself,  but  he  really 
doesn’t.” 

(1)  P(R) — ^  B:  BBMH] 

(2)  B — >PiS):  BBMH^NbMBB^KBs 

(3)  P{B)-^S:  BBMi^NbMBB^KBs^NbMBB^KBs 

which  causes  a  normal  server  strand,  despite  the  non-existence  of  any  active 
initiator. 

Proposition  24  Suppose  that  €  is  a  bundle  in  S;  A  ^  B;  Kas  ^  K<p;  and 
Si  G  Init[A,  B,  Na,  M,  K]  has  ^-height  2. 

Then  there  exists  s  G  Serv[A,  B,  Na,  *,  M,  K]  with  ^-height  2. 

Proof,  (sj,  1)  2)  is  an  outgoing  test  for  Na  in  {|  M  AB^Kas-  There¬ 

fore  there  is  a  regular  transforming  edge  for  A^  (Authentication  Test  1).  By 
inspection,  this  can  only  he  on  a  server  strand  s  G  Serv[A,  P,  A^,  *,  M,  A]. 
□ 
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Proposition  25  Suppose  that  d  is  a  bundle  in  S;  A  ^  B;  Kbs  ^  Kqj;  and 
Sr  G  Resp[A,  B,  Nh,  M,  K,  **]  has  ^-height  3. 

Then  there  exists  s  G  Serv[R,  B,  *,  iV;,,  M,  K]  with  ^-height  2. 

Proof,  2)  (s^,  3)  is  an  outgoing  test  for  iVf,  in  {|iVf,  M  AB^Kbs-  There¬ 

fore  there  is  a  regular  transforming  edge  for  Nf,  (Authentication  Test  1).  By 
inspection,  this  can  only  he  on  a  server  strand  s  G  SeTv[A,  B,*,  N),,  M,  K]. 
□ 


These  three  theorems  exhaust  the  authentication  that  this  protocol  actually 
achieves.  Consider,  for  example,  the  initiator’s  guarantee  that  the  responder 
has  been  active  in  a  bundle  containing  a  strand  s*  in  lnit[A,  B,  Na,  M,  K]. 
It  follows  from  Proposition  24,  which  establishes  that  the  bundle  contains 
some  s'  G  Serv[A,  B,  Na,  *,  M,  K],  together  with  Proposition  23,  which  further 
shows  that  some  G  Resp[A,  R,  *,  M,  **]  has  (t-height  2.  Observe  that  the 
Otway-Rees  protocol  cannot  possibly  guarantee  that  the  responder  strand 
(even  if  completed)  will  receive  the  same  session  key  [26]. 


5.1.3  The  Constraint  on  Uninterpreted  Terms 

In  Section  5.1.1,  we  assumed  (Clause  2)  that  the  terms  H  and  H'  contain  no  en¬ 
crypted  proper  subterms  for  a  responder  strand  in  Resp[A,  B,  N,  M,  K,  H,  H']. 
However,  the  responder  B  cannot  enforce  this  constraint,  because  in  the  in¬ 
tended  case,  these  are  terms  encrypted  in  A’s  long-term  key,  which  are  unin¬ 
telligible  to  B. 

In  this  section  we  will  check  that  this  unenforceable  constraint  does  not  hide 
any  attacks.  In  particular,  if  the  penetrator  can  succeed  without  our  restrictive 
assumption,  then  he  can  also  succeed  if  it  is  in  force. 

To  this  end,  we  modify  the  specihcation  of  the  Otway-Rees  protocol  by  remov¬ 
ing  the  restriction  in  Clause  2  that  the  terms  H  and  H'  contain  no  encrypted 
proper  subterms.  Let  us  call  this  new  protocol  “unconstrained  Otway-Rees”  to 
distinguish  it  form  the  original  protocol,  which  we  will  refer  to  (in  this  section 
only)  as  “constrained  Otway-Rees”.  Note  that  any  constrained  Otway-Rees 
bundle  is  also  an  unconstrained  Otway-Rees  bundle.  We  then  show  any  un¬ 
constrained  Otway-Rees  bundle  C'  is  nearly  equivalent  (in  a  sense  dehned 
below)  to  a  constrained  Otway-Rees  bundle  C. 

To  facilitate  the  following  discussion,  we  will  refer  to  the  locations  of  the  H 
and  H'  subterms  of  Resp[A,  B,  N,  M,  K,  H,  H']  nodes  as  insignificant  locations 
and  the  terms  at  those  locations  as  insignificant  terms. 

Definition  16  A  near  equivalence  of  unconstrained  Otway-Rees  strand  spaces 
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C  on  T,  and  C  on  S'  is  a  bijection  X  from  the  regular  nodes  of  C  to  those  of 
C  satisfying 

(1)  X  preserves  the  strand  structure,  that  is  m  n  if  and  only  ifX{m) 

I(n), 

(2)  For  any  regular  node  n  E  C,  term{n)  and  term{X{n))  are  identical  except 
for  insignificant  locations  of  term{n)  and  term{X{n)) . 

(3)  A  simple  term  originates  uniguely  on  regular  nodes  in  S  iff  it  originates 
uniguely  on  regular  nodes  in  S'. 

This  definition  is  clearly  weaker  than  the  notion  of  equivalence  (Definition  1) 
in  that  the  underlying  strand  spaces  of  the  bundles  may  be  different.  Moreover, 
for  regular  nodes  n  and  X(n),  the  corresponding  terms  term(n)  and  term(X(n)) 
may  be  different. 

Proposition  26  Any  unconstrained  Otway-Rees  bundle  C  is  nearly  eguiva- 
lent  to  a  constrained  Otway-Rees  bundle  C. 

Proof.  Let  Hq,  Hq  E  T  he  fixed  values,  chosen  so  that  neither  originates 
uniquely  in  S'.  Let  S  contain  the  same  initiator  and  server  strands  as  S',  and 
the  same  penetrator  strands,  together  with  countably  many  M-strands  emit¬ 
ting  the  term  Hq  and  countably  many  M-strands  emitting  the  term  Hf.  Let  the 
responder  strands  of  S  be  synthesized  from  those  of  S'  be  replacing  the  values 
of  the  parameters  H  and  H'  by  Hq  and  Hq,  hence  we  have  a  bijection  correlat¬ 
ing  the  strands  of  Resp[A,  B,  Nf,,  M,  K,  **]  in  S'  and  Resp[R,  B,  Nf,,  M,  K,  Hq,  H'f\ 
in  S.  By  the  way  we  selected  Hq  and  Hq,  S  satisfies  Clause  2. 

A  term  t  uniquely  originates  on  a  regular  strand  in  S'  iff  it  uniquely  originates 
on  a  regular  strand  in  S;  likewise,  the  two  strand  spaces  have  the  same  value 
for  Kqj.  Hence,  clauses  1  and  3  are  also  satisfied,  so  S  satisfies  all  the  conditions 
for  an  Otway-Rees  strand  space. 

We  may  now  synthesize  a  bundle  C  in  S  from  C .  We  include  the  same  ini¬ 
tiator,  server,  and  penetrator  strands  (with  the  same  height).  For  each  re¬ 
sponder  strand  in  Resp[A,  B,  Nf,,  M,  K,  H,  H']  contained  in  C ,  we  include  the 
correlated  strand  in  'Resp[A,  B ,  Ni„  M,  K,  Hq,  H'f\,  with  the  same  height.  We 
cannot  connect  these  strands  directly  to  the  expected  sender  or  recipient,  be¬ 
cause  they  require  Hq  in  place  of  H  and  Hq  in  place  of  H' .  However,  we  may 
use  M-strands  to  emit  the  newly  required  values,  and  S-  and  C-strands  to  splice 
them  in  the  required  positions.  Similarly,  we  use  S-  and  C-strands  to  splice 
them  out  again  and  re-insert  the  values  used  in  C  between  each  responder 
strand  and  the  rest  of  the  bundle.  The  resulting  bundle  C  is  a  counterexample 
to  the  same  property  in  S,  because  these  properties  are  independent  of  the 
values  of  H ,  H'  occurring  in  their  responder  strands.  The  other  regular  strands 
are  unchanged.  □ 
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Fig.  19.  Neuman-Stubblebine  Part  I  (Authentication) 

Hence  we  may  conclude  that  a  strand  space  S'  satisfies  the  same  authentication 
properties,  even  if  Clause  2  fails  in  S'. 

This  technique  may  be  applied  more  generally  to  prove  authentication  results 
for  protocols  which  contain  unconstrained  terms.  Suppose  S  is  strand  space 
in  which  the  regular  strands  are  given  as  traces  in  parametric  form 

P[p,  A,  H]  =  (Pi[p,  A,H],...,  P^[p,  A,  H]) 

where  A  and  H  range  over  terms  and  p  indicates  a  protocol  role  such  as  server 
or  responder.  Assume  further  that 

(1)  For  each  i,  H  occurs  only  as  a  component  of  the  term  Pj[p,  A,  H], 

(2)  H  is  allowed  to  assume  any  value  in  the  message  algebra. 

Under  these  hypotheses,  to  prove  any  authentication  results  we  may  impose 
the  following  constraint  on  M:  M  G  T  and  H  does  not  occur  anywhere  else  on 
regular  strands. 


5.2  Neuman-Stubblebine 


The  Neuman-Stubblebine  protocol  [18]  contains  two  sub-protocols.  We  will 
call  the  first  sub-protocol  the  authentication  protocol  and  the  second  sub¬ 
protocol  the  re-authentication  protocol.  In  the  authentication  sub-protocol, 
a  key  distribution  center  generates  a  session  key  for  an  initiator  (a  network 
client)  and  a  responder  (a  network  server);  the  message  exchange  is  shown 
in  Figure  19.  This  session  key  is  embedded  in  encrypted  form  in  a  re-usable 
ticket  of  the  form  ^A  K T^Kbs- 
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Strands  of  the  form  shown  in  the  columns  labelled  A,  B,  and  S  in  Fig¬ 
ure  19  will  be  called  Init[A,  B,  Na,  Nf,,  tb,  K,  H],  Resp[A,  B,  Na,  Nb,  h,  K],  and 
Serv[yl,  B,  Na,  Nb,  U,  K],  respectively. 

As  in  Section  5.1,  we  dehne  LT  to  be  the  set  of  long-term  keys,  i.e.  the  range 
of  the  injective  function  K^s  for  A  G  Tname-  All  long-terms  keys  are  symmet¬ 
rical:  A'  G  LT  implies  K  =  K~^.  We  likewise  assume  that  the  server  generates 
keys  in  a  reasonable  way,  meaning  that  that  Serv[**,  iF]  =  0  unless:  K  ^  Kqj; 
K  =  K~^-,  K  is  uniquely  originating;  and  K  ^  LT.  Because  of  the  unique 
origination  assumption,  it  follows  that  the  cardinality  |Serv[>K*,  iF]  |  <  1  for 
every  K. 

The  overall  strategy  for  showing  the  responder’s  guarantee,  assuming  given  a 
strand  G  Resp[A,  B,  Na,  Nb,  U,  K]  with  K^s,  Kbs  ^  Kqj,  is  the  following: 

(1)  As  with  Otway-Rees,  LT  C  Sq  U  Kqj.  So  for  all  K',  K'  G  Si  whenever 
Serv[A,  B,  *,  *,  *,  iF']  ^  0. 

(2)  ^AKth'^Kss  unsolicited  test,  originating  on  a  regular  strand.  This 
can  only  be  a  server  strand  Sg  G  Serv[A,  B,  *,  *,  tb,  K].  Therefore  iF  G  Si. 

(3)  M2  M4  is  an  incoming  test  for  Nb  in  Hence  there  is  a  regular 

transforming  edge  producing  {|iVfe|}x-  This  can  he  only  on  the  second  and 
third  nodes  of  an  initiator  strand  Si  G  Init[A',  B' ,  i\d,  Nb,  t'f^,  K,  *]. 

(4)  Since  {si,  2)  contains  ^B'  iV'  K and  K  G  Si,  it  follows  that  ^ 
P.  Moreover  =  Ka's- 

So  WKKt'b  ^^A's  unsolicited  test,  originating  on  a  regular 

strand.  This  can  only  be  a  server  strand  ^  ^  Serv[A',  B',  i\d,  *,  t'b,  iF]. 

(5)  Since  server  strands  construct  uniquely  originating  keys,  and  K  originates 
on  both  Sg  and  s'^,  it  follows  that  Sg  =  s'^.  Hence,  A'  =  A,  B'  =  B, 
and  t'b  =  tb-  Therefore,  Si  G  Init[A,  B,  *,  Nb,  U,  K,  *],  and  this  strand  has 
height  at  least  three. 

The  initiator’s  guarantee  is  simpler  to  establish.  The  edge  Mi  M3  on  an  ini¬ 
tiator  strand  is  an  incoming  test  for  Na  in  t^B  Na  K  tb^xAs-  shows  there  is  a 
server  strand  Sg  G  Serv[A,  B,  Na,  *,  U,  iF].  The  hrst  node  of  Sg  is  an  unsolicited 
test,  showing  the  existence  of  a  responder  strand  Sr  G  Resp[A,  B,  Na,  *,  h,  *]. 

In  the  re-authentication  sub-protocol,  the  key  distribution  center  no  longer 
needs  to  be  involved;  the  initiator  again  presents  the  same  ticket  to  the  re¬ 
sponder,  as  shown  in  Figure  20.  However,  in  the  presence  of  this  additional 
sub-protocol,  step  3  in  the  responder’s  guarantee  can  no  longer  be  completed. 
There  is  certainly  still  a  transforming  edge  producing  {jWHx,  but  this  edge 
may  he  either  on  an  initiator  strand  for  Part  I  of  the  protocol,  or  on  (conceiv¬ 
ably)  either  type  of  strand  for  Part  H.  By  contrast,  the  initiator’s  guarantee 
for  Part  I  is  unaffected,  because  we  have  not  added  any  strand  with  a  trans¬ 
forming  edge  producing  a  term  of  the  form  t^B  NaK  tb^xAs- 
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Fig.  20.  Neuman-Stubblebine,  Part  II  (Re-authentication) 
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Fig.  21.  Woo-Lam 


5.3  The  Woo-Lam  Protocol 


The  Woo-Lam  one-way  authentication  protocol  [27]  also  uses  an  incoming 
test,  although  in  a  flawed  way  [29,  4,  8].  It  is  intended  to  allow  an  initiator 
(client)  A  to  authenticate  his  presence  to  a  responder  (networked  service)  B,  by 
means  of  long-term  keys  shared  with  a  key  server.  A  receives  no  authenticating 
information  about  B.  The  behavior  of  the  protocol  is  given  in  Figure  21. 

It  is  clear  from  Figure  21  how  this  is  intended  to  work.  The  edge  from 
BA  first  transmission  of  W  to  its  final  reception  of  {|W[}-Kss  is  intended  to 
serve  as  an  incoming  test  with  that  term  as  test  component.  The  server’s  edge 
{[A,  {|fVfe[}-x^^[}-i^gg  ^  is  intended  as  the  corresponding  transforming 

edge.  It  “authenticates”  that  the  server  has  found  iVf,  inside  A’s  encrypted 
message. 

Unfortunately  this  description  is  enough  to  see  what  is  wrong  with  this  pro¬ 
tocol.  There  is  another  type  of  transforming  edge  that  produces  a  term  of  the 
same  form  as  the  incoming  test  component.  This  is  the  initiator’s  encrypting 
edge,  in  the  case  in  which  the  initiator  is  B.  Thus,  the  attacker  can  wait  until 
B  needs  to  authenticate  itself  to  any  responder,  and  can  then  execute  the  at¬ 
tack  shown  in  Figure  22.  Woo  and  Lam  state  that  they  assume  that  a  principal 
can  detect  when  it  receives  an  encrypted  unit  that  it  has  constructed  itself;  so 
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Fig.  22.  Woo-Lam  Infiltrated 

perhaps  this  attack  is  not  entirely  “fair.”  See  [4]  for  additional  discussion. 

Yet  another  problem  (also  discussed  in  [4])  exists.  Even  when  the  server  con¬ 
structs  the  term  term  does  not  fully  determine  the  parameters 

to  the  server  strand.  A  second  attack  on  Woo-Lam  exploits  this.  The  attacker 
starts  two  sessions  with  the  responder  B.  In  one  he  purports  to  be  A;  in  the 
other  he  uses  some  identity  C  he  has  somehow  captured,  so  that  Kqs  ^ 

He  then  switches  the  nonce  W  that  B  generates,  intended  to  authenticate  A, 
into  the  session  with  C,  so  that  B  sends  {|C,  server.  The 

server  then  generates  which  is  the  test  component  for  5’s  session 

with  A.  The  attacker  then  makes  this  appear  to  belong  to  that  session.  The 
auxiliary  session  with  C  fails  to  complete. 

The  Woo-Lam  example  is  included  here  to  illustrate  how  useful  the  authenti¬ 
cation  tests  are  as  a  heuristic  used  to  hud  problems  in  protocols.  They  may  be 
used  for  this  purpose  even  in  a  case  in  which  some  of  the  official  constraints  on 
the  authentication  test  are  not  satished.  For  instance,  in  the  Woo-Lam  pro¬ 
tocol,  the  test  component  could  also  occur  as  a  proper  subterm  of 

a  regular  node,  namely  the  message  from  a  responder  to  the  server.  However, 
the  authentication  tests  still  model  the  reasoning  of  a  protocol  designer  well 
enough  to  suggest  where  failures  will  lie. 


6  Cryptographic  Protocol  Design 

The  outgoing,  incoming,  and  unsolicited  tests,  and  the  authentication  results 
that  apply  to  them,  suggest  a  protocol  design  process.  At  our  level  of  abstrac¬ 
tion,  authentication  protocol  design  is  largely  a  matter  of  selecting  authenti- 
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Fig.  23.  Shape  of  the  New  Protocol 

cation  tests,  and  constructing  a  unique  regular  transforming  edge  to  satisfy 
each.  ^  We  will  illustrate  this  process  by  an  example,  leading  to  a  protocol 
akin  to  Carlsen’s  protocol  [2]. 


6.1  An  Example  Design  Process 


In  this  example,  we  aim  to  modify  the  Otway-Rees  protocol  (Figure  18)  in 
two  ways.  First,  we  imagine  a  situation  in  which  the  principals  A,  B  have  very 
limited  cryptographic  power.  Thus,  we  would  like  to  avoid  encrypting  both  the 
initial  requests  and  the  server’s  response.  Since  the  latter  must  be  encrypted 
(to  protect  the  conhdentiality  of  the  session  key),  we  will  not  encrypt  the 
original  requests.  Instead  of  using  outgoing  tests,  like  Otway-Rees,  this  new 
protocol  will  use  incoming  tests,  because  they  do  not  require  the  initial  request 
to  be  encrypted. 

Second,  the  new  protocol  is  intended  to  assure  each  principal  that  the  other 
is  in  possession  of  the  same  session  key,  which  Otway-Rees  does  not  achieve 
(Section  5.1.2).  To  do  so,  we  will  also  use  incoming  tests  in  which  each  princi¬ 
pal  answers  a  challenge,  using  the  session  key  to  encrypt  the  challenge  value 
presented  by  the  other  principal. 

We  will  first  describe  the  shape  of  the  new  protocol;  It  will  extend  the  shape  of 
Otway-Rees  as  needed  to  include  the  hnal  challenges  and  response,  as  shown  in 
Figure  23.  R’s  challenge  to  B  may  be  presented  on  the  transmission  ai  ^  (3i, 
and  R’s  response  may  be  returned  on  (34^  ^  a2,  so  this  does  not  require  any 
change  to  the  shape.  We  will  have  B  present  his  challenge  to  A  on  (3^  ^  a2, 

^  Of  course,  at  other  levels  of  abstraction  there  are  other  issues,  concerning  how 
to  negotiate  cryptographic  algorithms,  how  to  evaluate  whether  cryptography  has 
been  used  safely,  how  to  format  messages,  how  to  distribute  certificates,  how  to  align 
key  streams,  and  so  on,  that  are  not  considered  at  the  current  level  of  abstraction. 


45 


Fig.  24.  Important  Components  within  the  New  Protocol 

and  B  answer  the  challenge  on  0:3  — >  j3^.  Adding  this  message  is  the  only 
change  we  need  to  make  to  the  shape  of  the  protocol. 

A  must  generate  a  nonce  Na  at  ai,  which  will  be  transformed  by  the  server 
on  the  edge  ai  a2-  At  node  (T2,  this  nonce  must  be  embedded  in  the  same 
encrypted  component  tf  as  the  session  key;  this  will  authenticate  to  A  that 
the  server  has  generated  the  session  key  K. 

Also,  A  must  generate  a  nonce  at  ai  for  5’s  use  in  demonstrating  possession 
of  K.  B  will  transform  it  along  j3^  13^,  emitting  it  within  an  encrypted 

component  to  satisfy  A’s  second  test.  We  prefer  to  use  the  same  nonce  Na 
here  too,  to  save  A  the  computation  required  to  generate  another,  and  we 
will  need  to  check  that  this  sharing  will  not  invalidate  any  assumption  of  the 
authentication  test  results. 

B  must  likewise  generate  a  nonce  W  at  P2,  to  be  transformed  by  the  server 
along  the  edge  ai  (J2,  producing  an  encrypted  term  tf.  This  same  nonce 
may  also  be  transmitted  to  A  to  be  transformed  along  0:2  ^0:3.  A  uses  the 
session  key  K  to  produce  an  encrypted  component  containing  Nb. 

Hence,  we  may  £11  in  some  of  the  components  that  must  be  transmitted  over 
the  different  arrows,  as  tabulated  in  Figure  24.  We  include  the  names  of  the 
principals  A  and  B  on  arrows  ai  (3i  and  /52  — ^  cii,  as  a  practical  necessity 
so  that  the  recipients  have  a  clue  who  is  making  the  request.  At  node  0:2,  both 
of  A’s  incoming  tests  are  complete,  so  at  this  point,  A  has  received  all  his 
authentication  guarantees. 

We  must  now  define  the  four  test  components  tf,tF  for  i  =  1,2.  must 
guarantee  to  A  that  the  key  server  has  generated  K  in  response  to  Na,  and 
for  use  by  A  and  B.  Therefore  must  take  a  form  such  as  {] . . .  H  K'^Ka'^ 
the  key  Ka  identifies  this  as  a  component  constructed  on  behalf  of  A. 
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For  a  similar  reason,  tf  must  take  a  form  such  as  {| . . .  Ni,AK'^Kb-  want 
to  ensure  that  and  tf  are  of  different  forms;  to  do  so  we  select  two  distinct 
text  values,  to  which  we  will  refer  using  the  constants  and  c^,  dehning  the 
hrst  test  components 

t^  =  ^c^NaBKlK^  and  N.AK^Kb 

Turning  now  to  the  second  authentication  test  for  each  participant,  we  need 
only  that  the  nonces  Na,  Nb  be  encrypted  with  the  session  key  K,  and  that 
the  test  components  take  distinct  forms.  Hence  we  may  choose 

t2=^c^Na^K  and  tf  = 

We  have  now  selected  the  complete  message  structure  for  the  protocol. 


6.2  Security  Goals  of  the  New  Protocol 


Informally,  the  protocol  appears  to  achieve  the  following:  The  initiator  A  and 
responder  B  receive  a  fresh  session  key  K  from  a  trusted  key  server.  They 
share  it  between  themselves  without  disclosing  it  to  any  other  party.  Each 
learns  that  the  other  has  proceeded  far  enough  in  the  protocol  to  have  received 
the  session  key. 

Let  us  represent  strands  with  the  trace  represented  in  Figure  24  in  the  col¬ 
umn  marked  A  as  Init[H,  B,  Na,  K,  W];  those  with  the  trace  shown  in  column 
B  as  Iies]i[A,  B,  Na,  Nb,  K]]  and  those  with  the  trace  shown  in  column  S  as 
SeTv[A,B,Na,Nb,K]. 

Next,  let  us  make  the  goals  more  rigorous.  Suppose  that  is  a  bundle  for  the 
protocol,  and  suppose  Ka,Kb  ^  Kqj. 

(1)  Authenticating  the  server: 

(a)  If  Si  G  lnit[A,  B,  Na,  K,*]  has  (t-height  2,  then  there  exists  Sg  G 
Serv[A,  B,  Na,  *,  K]  of  (t-height  2. 

(b)  If  Sr  G  Resp[A,  B,*,  Nb,  K]  has  (t-height  3,  then  there  exists  Sg  G 
Serv[A,  B,  *,  Nb,  K]  of  (t-height  2. 

These  conditions  say  that  if  the  initiator  reaches  node  0:2  (or  the  respon¬ 
der  reaches  then  the  server  has  a  run  that  matches  in  principals, 
nonce,  and  session  key.  Goal  la  is  achieved  by  the  incoming  test  on  the 
edge  ai  ^  0:2  with  test  component  tf,  and  Goal  lb  is  achieved  by  the 
incoming  test  on  the  edge  P2  ^  Ps  with  test  component  tf . 

(2)  Session  key  secrecy:  If  Sg  G  Serv[A,  H,  *,  *,  iF]  has  (t-height  2,  then  K  G 

Si. 

This  requires  the  same  assumption  about  server  behavior  that  we  used 
in  Section  5.1.1,  Glause  3,  and  again  in  Section  5.2. 
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Fig.  25.  Carlsen’s  Protocol 


(3)  Authenticating  the  interlocutor: 

(a)  If  Si  G  Init[A,  5,  Aa,  A',  *]  has  (t-height  2,  then  there  exists  Sr  G 
Resp[A,  B,  Ng,  *,  K]  of  (t-height  4. 

(b)  If  Sr  G  Resp[A,  B,  Ng,  Nb,  K]  has  (t-height  5,  then  there  exists  Sj  G 
Init[A,  B,  Ng,  K,  Nb]  of  (Jl- height  3. 

These  two  statements  assert  that  the  principals’  use  of  K  to  encrypt  Ng 
and  Nb  shows  them  that  each  agrees  on  the  other’s  identity,  as  well  as 
the  session  key  and  the  nonces.  Goal  3a  is  achieved  by  the  incoming  test 
on  the  edge  ai  0:2  with  test  component  and  Goal  3b  is  achieved  by 
the  incoming  test  on  the  edge  P2  ^  P5  with  test  component  . 


The  check  that  the  incoming  tests  achieve  the  corresponding  goals  is  routine 
using  the  incoming  authentication  test  result.  The  new  protocol  is  very  similar 
to  Garlsen’s  (Figure  25).  The  differences  between  Garlsen’s  protocol  and  our 
new  one  are  that  we  decided  to  reuse  Nb  for  the  responder’s  second  test; 
we  decided  to  distinguish  the  hrst  test  components  using  different  constants 
rather  than  different  orderings;  and  we  chose  to  distinguish  the  forms  of  the 
second  test  components.  Of  these  contrasts,  only  the  last  makes  any  noticeable 
difference.  It  simplihes  our  proof  of  each  principal’s  guarantee  that  the  other 
has  received  the  session  key,  although  a  careful  argument  shows  that  the  same 
property  is  also  achieved  by  Garlsen’s  protocol.  However,  neither  Garlsen’s 
protocol  nor  ours  gives  the  key  server  any  authentication  guarantee  whatever, 
because  ANgB  Nb  does  not  contain  an  unsolicited  test. 


The  authentication  tests  seem  to  us  to  serve  quite  nicely  as  a  design  concept, 
allowing  a  designer  to  change  a  protocol  to  reallocate  cryptographic  burden 
while  achieving  the  intended  security  goals. 
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6.3  Summary:  Protocol  Correctness 


Having  completed  a  design  process,  there  are  five  questions  that  need  to  be 
answered  in  order  to  ensure  that  the  resulting  protocol  has  achieved  its  security 
goals: 

(1)  Is  the  set  of  penetrable  keys  P  disjoint  from  the  decryption  keys  for 
outgoing  components,  and  disjoint  from  the  encryption  keys  for  incoming 
and  unsolicited  components? 

(2)  Is  any  test  component  a  proper  subterm  of  a  component  of  term(n)  for 
any  regular  node  n? 

(3)  Are  there  ever  two  types  of  transforming  edge  that  transform  the  same 
outgoing  component,  or  produce  the  same  incoming  component? 

(4)  Do  the  parameters  contained  in  the  test  components  completely  deter¬ 
mine  the  data  values  contained  in  the  desired  authentication  guarantee? 

(5)  If  a  data  value  is  intended  to  remain  secret,  is  it  always  protected  by  at 
least  one  key  K  whose  corresponding  decryption  key  K~^  is  not  penetra¬ 
ble? 

The  first  two  questions  must  be  answered  affirmatively  to  apply  Authentica¬ 
tion  Tests  1-3,  which  then  entail  that  there  exist  matching  regular  transform¬ 
ing  edges. 

But  must  those  regular  transforming  edges  lie  on  the  strands  that  we  expect 
them  to  (Question  3)?  A  common  cause  of  authentication  failure  arises  when 
there  is  also  another  edge  that  can  transform  the  same  value  (e.g.  Neuman- 
Stubblebine  with  re-authentication  and  Woo-Lam).  Alternatively,  we  may 
know  that  a  transforming  edge  of  the  kind  desired  is  present,  but  it  may 
not  determine  all  of  the  parameters  that  we  would  like  to  agree  on  (Ques¬ 
tion  4).  This  was  the  reason  for  the  failure  of  the  original  Needham-Schroeder 
protocol,  and  for  the  second  Woo-Lam  failure. 

If  the  third  and  fourth  questions  are  answered  affirmatively,  then  the  authen¬ 
tication  goals  of  the  protocol  will  have  been  met.  Finally,  question  5  assures 
that  the  protocol’s  secrecy  goals  will  also  be  met. 

Protocol  designers  need  to  be  alert  when  Question  3  and  Question  4  receive 
negative  answers.  Then  there  are  unintended  services,  situations  in  which  the 
protocol  itself  offers  a  transformation  that  can  be  abused  by  the  penetrator. 
We  recommend  that  protocol  designers,  even  when  working  without  any  for¬ 
mal  framework,  ask  themselves  whether  their  protocols  offer  any  unintended 
services  to  assist  the  penetrator  in  achieving  what  the  protocol  regards  as  es¬ 
tablishing  authentication.  Unintended  services  are  easy  to  recognize,  and  they 
are  a  strong  clue  where  an  attack  on  a  protocol  may  he. 
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A  Strands,  Bundles,  and  the  Penetrator 


In  this  appendix,  we  define  the  basic  strand  space  notions  used  in  the  body 
of  the  paper.  This  material  is  derived  from  [26],  with  a  few  small  changes. 
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For  instance,  the  penetrator  strands  of  type  T  (which  duplicated  a  value  for 
two  receivers)  and  F  (which  flushed  a  value)  were  unnecessary.  A  positive  node 
may  be  gregarious,  having  multiple  out-arrows,  which  makes  T  strands  unnec¬ 
essary;  a  positive  node  may  be  lonely,  having  no  out-arrows,  which  makes  F 
strands  unnecessary.  Eliminating  them  from  Dehnition  23  leads  to  a  more 
symmetrical  set  of  penetrator  behaviors,  simplifying  normalization  and  other 
graph  operations  on  bundles. 


A.l  Strand  Spaces 


Consider  a  set  A,  the  elements  of  which  are  the  possible  messages  that  can  be 
exchanged  between  principals  in  a  protocol.  We  will  refer  to  the  elements  of 
A  as  terms.  We  assume  that  a  subterm  relation  is  dehned  on  A.  to  IF  ti  means 
to  is  a  subterm  of  ti.  We  constrain  the  set  A  further  below  in  Section  A. 3,  and 
define  a  subterm  relation  there. 

In  a  protocol,  principals  can  either  send  or  receive  terms.  We  represent  trans¬ 
mission  of  a  term  as  the  occurrence  of  that  term  with  positive  sign,  and  re¬ 
ception  of  a  term  as  its  occurrence  with  negative  sign. 

Definition  17  A  signed  term  is  a  pair  {a,  a)  with  a  G  A  and  a  one  of  the 
symbols  -F,  — .  We  will  write  a  signed  term  as  +t  or  —t.  (±A)*  is  the  set  of 
finite  sequences  of  signed  terms.  We  will  denote  a  typical  element  o/(±A)*  by 

...,  ((Trit  (^n)  )  ■ 

A  strand  space  over  IK  is  a  set  S  together  with  a  trace  mapping  ti  :  S  (±A)*. 

By  abuse  of  language,  we  will  still  treat  signed  terms  as  ordinary  terms.  For 
instance,  we  shall  refer  to  subterms  of  signed  terms.  We  will  usually  represent 
a  strand  space  by  its  underlying  set  of  strands  S. 

Definition  18  Fix  a  strand  space  S. 

(1)  A  node  is  a  pair  {s,i),  with  s  G  S  and  i  an  integer  satisying  1  <  i  < 
length (tr(s)).  The  set  of  nodes  is  denoted  by  91.  We  will  say  the  node 
{s,  i)  belongs  to  the  strand  s.  Clearly,  every  node  belongs  to  a  unique 
strand. 

(2)  If  n  =  (s,  i)  G  91  then  index(n)  =  i  and  strand(n)  =  s.  Dehne  term(n)  to 
be  (tr(s))^,  i.e.  the  Ah  signed  term  in  the  trace  of  s.  Similarly,  uns_term(n) 
is  ((tr(s))j2,  he.  the  unsigned  part  of  the  Ah  signed  term  in  the  trace  of 

s. 

(3)  There  is  an  edge  ni  — n-2  if  and  only  if  term(ni)  =  +a  and  term(n2)  = 
—a  for  some  a  E  A.  Intuitively,  the  edge  means  that  node  ni  sends  the 
message  a,  which  is  received  by  n2,  recording  a  potential  causal  link 
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between  those  strands. 

(4)  When  rii  =  (s,  i)  and  n2  =  (<s,  i  +  1)  are  members  of  94,  there  is  an  edge 
Til  n2.  Intuitively,  the  edge  expresses  that  ni  is  an  immediate  causal 
predecessor  of  n2  on  the  strand  s.  We  write  n'  n  to  mean  that  n' 
precedes  n  (not  necessarily  immediately)  on  the  same  strand. 

(5)  An  unsigned  term  t  occurs  m  n  G  94  iff  t  C  term(n). 

(6)  Suppose  /  is  a  set  of  unsigned  terms.  The  node  n  G  94  is  an  entry  point  for 
I  iff  term(n)  =  +t  for  some  t  &  I,  and  whenever  n!  n,  term(n')  ^  I. 

(7)  An  unsigned  term  t  originates  on  n  G  94  iff  n  is  an  entry  point  for  the  set 
I  =  {t'  :tn:  T}- 

(8)  An  unsigned  term  t  is  uniquely  originating  iff  t  originates  on  a  unique 

n  G  94. 

If  a  term  t  originates  uniquely  in  a  particular  strand  space,  then  it  can  play 
the  role  of  a  nonce  or  session  key  in  that  structure. 

94  together  with  both  sets  of  edges  ni  — n2  and  ni  n2  is  a  directed  graph 
(94,  U  ^)). 


A. 2  Bundles  and  Causal  Precedence 


A  bundle  is  a  hnite  subgraph  of  the  graph  (94,  (— *>  U  =^)),  for  which  we  can 
regard  the  edges  as  expressing  the  causal  dependencies  of  the  nodes. 

Definition  19  Suppose  C  — suppose  =^c  C  =^;  and  suppose  €  = 
(94c,  (— i>c  U  ^c))  is  a  subgraph  of  (94,  (— >  U  =^)).  €  is  a  bundle  if: 

(1)  94c  and  U  ^c  ore  finite. 

(2)  If  n2  G  94c  and  term{n2)  is  negative,  then  there  is  a  unique  ni  such  that 
ni  ^c  n2. 

(3)  If  n2  G  94c  and  ni  ^  n2  then  ni  =^c  ^2- 

(4)  ^  is  acyclic. 

In  conditions  2  and  3,  it  follows  that  ni  G  94c,  because  d  is  a  graph. 

For  our  purposes,  it  does  not  matter  whether  communication  is  regarded  as  a 
synchronizing  event  or  as  an  asynchronous  activity.  The  dehnition  of  bundle 
formalizes  a  process  communication  model  with  three  properties: 

•  A  strand  (process)  may  send  and  receive  messages,  but  not  both  at  the  same 
time; 

•  When  a  strand  receives  a  message  t,  there  is  a  unique  node  transmitting  t 
from  which  the  message  was  immediately  received; 

•  When  a  strand  transmits  a  message  t,  many  strands  may  immediately  re- 
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ceive  t. 


Notational  Convention  1  A  node  n  is  in  a  bundle  U  ^c), 

written  n  E  €,  if  n  E  91c;  a  strand  s  is  in  €  if  all  of  its  nodes  are  in  91c- 

If  €  is  a  bundle,  then  the  (t-height  of  a  strand  s  is  the  largest  i  such  that 
{s,i)  E  €.  (t-trace(s)  =  {tr{s){l), . . . ,  tr{s){m)),  where  m  =  €-height{s) . 

Definition  20  If  &  is  a  set  of  edges,  i.e.  &  C— >  U  then  -<e  is  the  tran¬ 
sitive  closure  of&,  and  is  the  reflexive,  transitive  closure  of&. 

The  relations  -<e  and  are  each  subsets  of  91e  x  91e,  where  91e  is  the  set 

of  nodes  incident  with  any  edge  in  ©. 

Proposition  27  Suppose  €  is  a  bundle.  Then  ^c  is  a  partial  order,  i.e.  a 
reflexive,  antisymmetric,  transitive  relation.  Every  non-empty  subset  of  the 
nodes  in  €  has  fl^c-minimal  members. 

We  regard  ^c  as  expressing  causal  precedence,  because  n  -<e  n'  holds  only 
when  n’s  occurrence  causally  contributes  to  the  occurrence  of  rl .  When  a 
bundle  is  understood,  we  will  simply  write  Similarly,  “minimal”  will 
mean  ^c-i^iinimal. 


A. 3  Terms,  Encryption,  and  Ereeness  Assumptions 


We  will  now  specialize  the  set  of  terms  A.  In  particular  we  will  assume  given: 

•  A  set  T  C  A  of  texts  (representing  the  atomic  messages). 

•  A  set  K  C  A  of  cryptographic  keys  disjoint  from  T,  equipped  with  a  unary 
operator  inv  :  K  ^  K.  We  assume  that  inv  is  an  inverse  mapping  each 
member  of  a  key  pair  for  an  asymmetric  cryptosystem  to  the  other,  and 
each  symmetric  key  to  itself. 

•  Two  binary  operators  encr  :  K  x  A  ^  A  and  join  ;  A  x  A  ^  A. 

We  follow  custom  and  write  inv(A')  as  K~^,  encr{K,m)  as  and 

join(a,  6)  as  ab.  If  is  a  set  of  keys,  denotes  the  set  of  inverses  of  ele¬ 
ments  of  R.  We  assume,  like  many  others  (e.g.  [14,  16,  20]),  that  A  is  freely 
generated,  which  is  crucial  for  the  results  in  this  paper. 

Axiom  1  A  is  freely  generated  from  T  and  K  by  encr  and  join. 

Definition  21  The  subterm  relation  C  is  defined  inductively,  as  the  smallest 
relation  such  that  a  \Z  a;  a  \Z  if  a  n.  g;  and  a\Zgh  if  a\Zg  or  a\zh. 

g  is  a  proper  subterm  of  h  if  g  \Z  h  and  g  h. 
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By  this  definition,  for  G  K,  we  have  K  \Z  only  \i  K  \Z  g  already. 

Definition  22  (1)  If  ^  C  K,  then  to  IZj^  t  if  t  is  in  the  smallest  set  contain¬ 
ing  to  and  closed  under  encryption  with  K  E  ^  and  concatenation  with 
arbitrary  terms  ti . 

(2)  A  term  to  is  a  visible  subterm  oft  if  to  IZ0  t. 

(3)  A  term  t  is  simple  if  it  is  not  of  the  form  g  h. 

(4)  A  term  to  is  a  component  oft  if  to  is  simple  and  to  IZ0  t. 

We  say  that  to  is  a  component  of  a  node  n  if  to  is  a  component  of  term(n). 


A. 4  Penetrator  Strands 


The  atomic  actions  available  to  the  penetrator  are  encoded  in  a  set  of  pene¬ 
trator  traces.  They  summarize  his  ability  to  generate  known  messages,  piece 
messages  together,  and  apply  cryptographic  operations  using  keys  that  be¬ 
come  available  to  him.  A  protocol  attack  typically  requires  hooking  together 
several  of  these  atomic  actions. 

The  actions  available  to  the  penetrator  are  relative  to  the  set  of  keys  that  the 
penetrator  knows  initially.  We  encode  this  in  a  parameter,  the  set  of  penetrator 
keys  K<p. 

Definition  23  A  penetrator  trace  relative  to  Kqj  is  one  of  the  following: 

Mt  Text  message:  {-\-t)  where  t  eT  . 

Kk  Key:  {+K)  where  K  E  Kqj. 

Cg^h  Concatenation:  {—g,  —h,  +gh) 

^g,h  Separation:  {—g  h,  -\-g,  -\-h) 

Eh,K  Encryption:  {-K,  -h,  +^h^K)- 
Dh,K  Decryption:  +h). 

iPs  is  the  set  of  all  strands  s  G  S  such  that  tr(s)  is  a  penetrator  trace. 

A  strand  s  E  is  a  penetrator  strand  if  it  belongs  to  iPs,  and  a  node  is  a 
penetrator  node  if  the  strand  it  lies  on  is  a  penetrator  strand.  Otherwise  we 
will  call  it  a  non-penetrator  or  regular  strand  or  node.  A  node  n  is  M,  K, 
etc.  node  if  n  lies  on  a  penetrator  strand  with  a  trace  of  kind  M,  K,  etc. 

We  assume  that  all  strand  spaces  have  an  adequate  supply  of  C,  S,  E,  and  D 
strands;  by  contrast,  M  and  K  strands  vary,  thus  modeling  the  set  of  values 
the  penetrator  may  know  or  be  able  to  guess. 
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